b'Audit Report\n\n\n\n\nOIG-12-073\nReport on the Bureau of the Public Debt Federal Investments\nBranch\xe2\x80\x99s Description of its Investment/Redemption Services and\nthe Suitability of the Design and Operating Effectiveness of its\nControls for the Period August 1, 2011 to July 31, 2012\nSeptember 19, 2012\n\n\n\n\nOffice of\nInspector General\nDepartment of the Treasury\n\x0c                                      DEPARTMENT OF THE TREASURY\n                                            W ASHINGTON, D.C. 20220\n\n\n\n\n     OFFICE OF\nINSPECTOR GENERAL\n                                             September 19, 2012\n\n\n            MEMORANDUM FOR VAN ZECK, COMMISSIONER\n                           BUREAU OF THE PUBLIC DEBT\n\n            FROM:                  Michael Fitzgerald\n                                   Director, Financial Audits\n\n            SUBJECT:               Report on the Bureau of the Public Debt Federal\n                                   Investments Branch\xe2\x80\x99s Description of its\n                                   Investment/Redemption Services and the Suitability of the\n                                   Design and Operating Effectiveness of its Controls for the\n                                   Period August 1, 2011 to July 31, 2012\n\n\n            I am pleased to transmit the attached Report on the Bureau of the Public Debt (BPD)\n            Federal Investments Branch\xe2\x80\x99s Description of its Investment/Redemption Services and\n            the Suitability of the Design and Operating Effectiveness of its Controls for the\n            period August 1, 2011 to July 31, 2012. Under a contract monitored by the Office\n            of Inspector General, KPMG LLP, an independent certified public accounting firm,\n            performed an examination of the description of controls, the suitability of the design\n            and the operating effectiveness of the general computer and investment/redemption\n            processing controls used for various Federal Government agencies\xe2\x80\x99 (Fund Agencies)\n            transactions for the period August 1, 2011 to July 31, 2012. The contract required\n            that the examination be performed in accordance with generally accepted\n            government auditing standards and the American Institute of Certified Public\n            Accountants\xe2\x80\x99 Statement on Standards for Attestation Engagements Number 16,\n            Reporting on Controls at a Service Organization.\n\n            In its examination, KPMG LLP found in all material respects:\n\n                \xe2\x80\xa2   the Description of Controls Provided by the BPD fairly presents the general\n                    computer and investment/redemption processing controls that were designed\n                    and implemented throughout the period August 1, 2011 to July 31, 2012,\n                \xe2\x80\xa2   that these controls were suitably designed to provide reasonable assurance\n                    that the control objectives would be achieved if the controls operated\n                    effectively throughout the period August 1, 2011 to July 31, 2012, and Fund\n                    Agencies applied the complementary Fund Agency controls and sub-service\n\x0cPage 2\n\n\n       organizations applied the controls contemplated in the design of BPD\xe2\x80\x99s\n       controls throughout the period August 1, 2011 to July 31, 2012, and\n   \xe2\x80\xa2   that the controls tested, which together with the complementary Fund\n       Agency controls and sub-service organizations\xe2\x80\x99 controls, if operating\n       effectively, were those necessary to provide reasonable assurance that the\n       control objectives were achieved and operated effectively throughout the\n       period August 1, 2011 to July 31, 2012.\n\nIn connection with the contract, we reviewed KPMG LLP\xe2\x80\x99s report and related\ndocumentation and inquired of its representatives. Our review, as differentiated\nfrom an examination of the description of controls, the suitability of the design and\nthe operating effectiveness of controls in accordance with generally accepted\ngovernment auditing standards, was not intended to enable us to express, and we\ndo not express, an opinion on BPD\'s description of controls, the suitability of the\ndesign of these controls and the operating effectiveness of controls tested.\nKPMG LLP is responsible for the attached independent service auditors\xe2\x80\x99 report dated\nSeptember 14, 2012, and the conclusions expressed in the report. However, our\nreview disclosed no instances where KPMG LLP did not comply, in all material\nrespects, with generally accepted government auditing standards.\n\nShould you have any questions, please contact me at (202) 927-5789, or a member\nof your staff may contact Mark S. Levitt, Manager, Financial Audits at\n(202) 927-5076.\n\nAttachment\n\x0c                 U.S. Department of the Treasury\n                    Bureau of the Public Debt\n\n\n\n                   Federal Investments Branch\n                     General Computer and\n            Investment/Redemption Processing Controls\n\n\n\n\n      Report on Federal Investment Branch\xe2\x80\x99s Description of Its\nInvestment/Redemption Services and the Suitability of the Design and\n              Operating Effectiveness of Its Controls\n           For the Period August 1, 2011 to July 31, 2012\n\x0c                                  U.S. DEPARTMENT OF THE TREASURY\n                                      BUREAU OF THE PUBLIC DEBT\n                                    FEDERAL INVESTMENTS BRANCH\n\n    REPORT ON FEDERAL INVESTMENT BRANCH\xe2\x80\x99S DESCRIPTION OF ITS\nINVESTMENT/REDEMPTION SERVICES AND THE SUITABILITY OF THE DESIGN\n          AND OPERATING EFECTIVENESS OF ITS CONTROLS\n\n\n                                                       Table of Contents\n\nSection                                                    Description                                                                            Page\n\n   I. Independent Service Auditors\xe2\x80\x99 Report Provided by KPMG LLP .......................................... 1\n\n  II. Management\xe2\x80\x99s Assertion ............................................................................................................. 5\n\n III. Description of Controls Provided by the Bureau of the Public Debt ...................................... 8\n\n        Overview of Operations ................................................................................................................. 9\n\n        Relevant Aspects of the Control Environment, Risk Assessment, and Monitoring...................... 14\n\n                Control Environment ........................................................................................................... 14\n                Risk Assessment.................................................................................................................. 14\n                Monitoring........................................................................................................................... 14\n\n        Information and Communication .................................................................................................. 16\n\n        Control Objectives and Related Controls\n            The Bureau of the Public Debt\xe2\x80\x99s control objectives and related controls are\n            included in Section IV of this report, \xe2\x80\x9cControl Objectives, Related Controls, and\n            Tests of Operating Effectiveness.\xe2\x80\x9d Although the control objectives and related\n            controls are included in Section IV, they are, nevertheless, an integral part of\n            the Bureau of the Public Debt\xe2\x80\x99s description of controls.\n\n        Complementary Fund Agency Controls ....................................................................................... 18\n\n        Sub-service Organizations ............................................................................................................ 20\n\n IV. Control Objectives, Related Controls, and Tests of Operating Effectiveness ....................... 21\n\n        General Computer Controls .......................................................................................................... 22\n\n                System Software.................................................................................................................. 22\n                Vendor Software ................................................................................................................. 25\n                Program Change Control..................................................................................................... 27\n                Physical Access ................................................................................................................... 29\n                Logical Access .................................................................................................................... 32\n\x0c             Computer Operations .......................................................................................................... 35\n             Network Performance Monitoring ...................................................................................... 37\n\n     Investment/Redemption Processing Controls ............................................................................... 38\n\n             Item Processing Security .................................................................................................... 38\n             Item Capture ........................................................................................................................ 39\n             Confirmations...................................................................................................................... 47\n             Fund Balance Adjustment ................................................................................................... 49\n             Recordkeeping..................................................................................................................... 51\n             Segregation of Duties .......................................................................................................... 53\n             Interest Calculation and Payments ...................................................................................... 55\n             Statement Rendering ........................................................................................................... 59\n\nV.   Other Information Provided by Bureau of the Public Debt ................................................... 62\n\n     Contingency Planning ................................................................................................................... 63\n\x0cI.   INDEPENDENT SERVICE AUDITORS\xe2\x80\x99 REPORT\n             PROVIDED BY KPMG LLP\n\n\n\n\n                    1\n\x0c                                KPMG LLP\n                                1676 International Drive\n                                McLean, VA 22102\n\n\n\n\n                                   Independent Service Auditors\xe2\x80\x99 Report\n\n\nInspector General, U.S. Department of the Treasury\nCommissioner, Bureau of the Public Debt and the\nAssistant Commissioner, Office of Public Debt Accounting\n\n\nScope\nWe have examined the Bureau of the Public Debt (BPD) Federal Investment Branch\xe2\x80\x99s (FIB\xe2\x80\x99s) description\nof its general computer and investment/redemption processing controls used for processing Fund Agencies\xe2\x80\x99\ntransactions throughout the period August 1, 2011 to July 31, 2012 (description) and the suitability of the\ndesign and operating effectiveness of controls to achieve the related control objectives stated in the\ndescription. The description indicates that certain control objectives specified in the description can be\nachieved only if complementary Fund Agency controls and controls at the sub-service organizations\ncontemplated in the design of BPD\xe2\x80\x99s controls are suitably designed and operating effectively, along with\nrelated controls at the service organization. We have not evaluated the suitability of the design or the\noperating effectiveness of such complementary Fund Agency controls or controls at the sub-service\norganizations.\n\n\nBPD uses external service organizations (sub-service organizations). A list of these sub-service\norganizations is provided in Section III. The description in Sections III and IV includes only the control\nobjectives and related controls of BPD and excludes the control objectives and related controls of the sub-\nservice organizations. Our examination did not extend to controls of sub-service organizations.\n\n\nThe information in Section V of management\xe2\x80\x99s description of the service organization\xe2\x80\x99s system, \xe2\x80\x9cOther\nInformation Provided by Bureau of the Public Debt,\xe2\x80\x9d that describes contingency planning is presented by\nmanagement of BPD to provide additional information and is not a part of BPD\xe2\x80\x99s description of its system\nmade available to Fund Agencies during the period August 1, 2011 to July 31, 2012. Information in\nSection V has not been subjected to the procedures applied in the examination of the description of the\nsystem and of the suitability of the design and operating effectiveness of controls to achieve the related\ncontrol objectives stated in the description of the system, and, accordingly, we express no opinion on it.\n\n\nService organization\xe2\x80\x99s responsibilities\nIn Section II, BPD has provided an assertion about the fairness of the presentation of the description, the\nsuitability of the design and the operating effectiveness of the controls to achieve the related control\nobjectives stated in the description. BPD is responsible for preparing the description and for the assertion,\nincluding the completeness, accuracy, and method of presentation of the description and the assertion,\nproviding the services covered by the description, specifying the control objectives and stating them in the\ndescription, identifying the risks that threaten the achievement of the control objectives, selecting and using\nsuitable criteria, and designing, implementing, and documenting controls to achieve the related control\nobjectives stated in the description.\n\n                                                                        2\n                                KPMG LLP is a Delaware limited liability partnership,\n                                the U.S. member firm of KPMG International Cooperative\n                                (\xe2\x80\x9cKPMG International\xe2\x80\x9d), a Swiss entity.\n\x0cService auditors\xe2\x80\x99 responsibilities\nOur responsibility is to express an opinion on the fairness of the presentation of the description, the\nsuitability of the design and the operating effectiveness of the controls to achieve the related control\nobjectives stated in the description, based on our examination. We conducted our examination in\naccordance with attestation standards established by the American Institute of Certified Public Accountants\nand applicable Government Auditing Standards issued by the Comptroller General of the United States.\nThose standards require that we plan and perform our examination to obtain reasonable assurance about\nwhether, in all material respects, the description is fairly presented, the controls were suitably designed and\nthe controls were operating effectively to achieve the related control objectives stated in the description\nthroughout the period August 1, 2011 to July 31, 2012.\n\n\nAn examination of a description of a service organization\'s system and the suitability of the design and\noperating effectiveness of the service organization\'s controls to achieve the related control objectives stated\nin the description involves performing procedures to obtain evidence about the fairness of the presentation\nof the description and the suitability of the design and the operating effectiveness of those controls to\nachieve the related control objectives stated in the description. Our procedures included assessing the risks\nthat the description is not fairly presented and that the controls were not suitably designed or operating\neffectively to achieve the related control objectives stated in the description. Our procedures also included\ntesting the operating effectiveness of those controls that we consider necessary to provide reasonable\nassurance that the related control objectives stated in the description were achieved. An examination\nengagement of this type also includes evaluating the overall presentation of the description and the\nsuitability of the control objectives stated therein, and the suitability of the criteria specified by the service\norganization and described in management\xe2\x80\x99s assertion in Section II of this report. We believe that the\nevidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion.\n\n\nInherent limitations\nBecause of their nature, controls at a service organization may not prevent, or detect and correct, all errors\nor omissions in processing or reporting transactions. Also, the projection to the future of any evaluation of\nthe fairness of the presentation of the description, or conclusions about the suitability of the design or\noperating effectiveness of the controls to achieve the related control objectives is subject to the risk that\ncontrols at a service organization may become inadequate or fail.\n\n\nOpinion\nIn our opinion, in all material respects, based on the criteria described in BPD\xe2\x80\x99s assertion, (1) the\ndescription fairly presents the general computer and investment/redemption processing controls that were\ndesigned and implemented throughout the period August 1, 2011 to July 31, 2012, (2) the controls related\nto the control objectives stated in the description were suitably designed to provide reasonable assurance\nthat the control objectives would be achieved if the controls operated effectively throughout the period\nAugust 1, 2011 to July 31, 2012, and Fund Agencies applied the complementary Fund Agency controls and\nsub-service organizations applied the controls contemplated in the design of BPD\xe2\x80\x99s controls throughout the\nperiod August 1, 2011 to July 31, 2012, and (3) the controls tested, which together with the complementary\nFund Agency controls and sub-service organizations\xe2\x80\x99 controls referred to in the scope paragraph of this\nreport, if operating effectively, were those necessary to provide reasonable assurance that the control\nobjectives stated in the description in Section IV were achieved, operated effectively throughout the period\nAugust 1, 2011 to July 31, 2012.\n                                                           3\n\x0cDescription of tests of controls\nThe specific controls and the nature, timing, extent, and results of the tests are listed in Section IV.\n\n\nRestricted use\nThis report, including the description of tests of controls and results thereof in Section IV, is intended\nsolely for the information and use of the management of BPD, Fund Agencies of BPD\xe2\x80\x99s system during\nsome or all of the period August 1, 2011 to July 31, 2012, the U.S. Department of the Treasury Office of\nInspector General, the Office of Management and Budget, the Government Accountability Office, the U.S.\nCongress, and the independent auditors of BPD\xe2\x80\x99s Fund Agencies, who have a sufficient understanding to\nconsider it, along with other information including information about controls implemented by Fund\nAgencies themselves, when assessing the risks of material misstatements of Fund Agencies\xe2\x80\x99 financial\nstatements. This report is not intended to be and should not be used by anyone other than these specified\nparties.\n\n\n\n\nSeptember 14, 2012\nMcLean, Virginia\n\n\n\n\n                                                           4\n\x0cII.   MANAGEMENT\xe2\x80\x99S ASSERTION\n\n\n\n\n               5\n\x0c                                       Department of the Treasury\n                                         Bureau of the Public Debt\n                                       Parkersburg, WV 26106-1328\n\n\n\n\n                                               September 14, 2012\n\nKPMG LLP\n1676 International Drive\nMcLean, VA 22102\n\nLadies and Gentlemen:\n\nWe have prepared the description of the Federal Investments Branch (FIB) Investment/ Redemption\nProcessing Controls that use the InvestOne accounting system and FedInvest customer portal which are\nvendor supplied subsystems of the Government Agency Investment Services System (GAISS) for user\nentities of the system during some or all of the period of August 1, 2011 through July 31, 2012, and their user\nauditors who have a sufficient understanding to consider the description, along with other information,\nincluding information about controls operated by user entities of the system themselves, when assessing the\nrisks of material misstatements of user entities\xe2\x80\x99 financial statements. We confirm, to the best of our\nknowledge, and belief, that\n\na. FIB uses a number of different sub-service organizations for certain transaction processing:\n\n       Sub-Service Organization                    Description of Services\n         Federal Reserve Bank of New York          Treasury security price data\n\n       U.S. Department of Treasury \xe2\x80\x93               Treasury security price data\n       Office of Debt Management\n\n       U.S. Department of Treasury \xe2\x80\x93                 Provides financial and IPAC reports\n       Financial Management Service\n\n\n    The description in Sections III and IV includes only the controls and related control objectives of FIB\n    and excludes the control objectives and related controls of the services listed above from the respective\n    service organizations. The criteria we used in making this assertion were that the accompanying\n    description:\n\n  i.     presents how the system made available to user entities of the system was designed and implemented\n         to process relevant transactions, including:\n\n         1. the types of services provided, including, as appropriate, the classes of transactions processed;\n         2. the procedures, within both automated and manual systems, by which those transactions were\n            initiated, authorized, recorded, processed, corrected as necessary, and transferred to the reports\n            prepared for user entities;\n         3. the related accounting records, supporting information, and specific accounts that were used to\n            initiate, authorize, record, process, and report transactions; this includes the correction of\n            incorrect information and how information was transferred to the reports prepared for user\n            entities;\n                                                           6\n\x0c         4. how the systems captured and addressed significant events and conditions, other than\n            transactions;\n         5. the process used to prepare reports or other information for user entities;\n         6. specified control objectives and controls designed to achieve those objectives;\n         7. controls that we assumed, in the design of the system, would be implemented by user entities,\n            and which, if necessary to achieve control objectives stated in the accompanying description,\n            are identified in the description along with the specific control objectives that cannot be\n            achieved solely by controls implemented by us; and\n         8. other aspects of our control environment, risk assessment process, information and\n            communication systems (including the related business processes), control activities, and\n            monitoring controls that are relevant to processing and reporting transactions of user entities\n            transactions.\n\n  ii.    does not omit or distort information relevant to the scope of FIB, InvestOne, and FedInvest, while\n         acknowledging that the description is prepared to meet the common needs of a broad range of\n         Government Account Series customers and independent auditors of those entities and may not;\n         therefore, include every aspect that each user entity and its auditor may consider important in its own\n         particular environment.\n\nb. The description includes relevant details of changes to FedInvest and InvestOne during the period\n   covered by the descriptions.\n\nc. The controls related to the control objectives stated in the description were suitably designed and\n   operated effectively throughout the period of August 1, 2011 through July 31, 2012 to achieve those\n   control objectives. The criteria we used in making this assertion were that:\n\n   i.    The risks that threatened achievement of control objectives stated in the description were identified;\n\n  ii.    The identified controls would, if operating as described, provide reasonable assurance that those\n         risks did not prevent the stated control objectives from being achieved; and\n\n  iii.   The controls were consistently applied as designed, including whether manual controls were applied\n         by individuals who have the appropriate competence and authority.\n\n                                                  Very truly yours,\n\n\n\n\n                                                  Susan L. Chapman, Director\n                                                  Division of Federal Investments\n\n\n\n\n                                                          7\n\x0cIII.   DESCRIPTION OF CONTROLS PROVIDED BY THE BUREAU OF THE PUBLIC\n                                  DEBT\n\n\n\n\n                                  8\n\x0cOVERVIEW OF OPERATIONS\nTreasury Directive 27-02, Organization and Functions of the Fiscal Services, dated May 23,\n1997, established the Bureau of the Public Debt\xe2\x80\x99s (BPD) responsibility to invest, approve\nschedules for withdrawals, and maintain accounts for the Federal Trust and Deposit Programs as\ndirected by statute, and certify interest rates determined by the Secretary of the U.S. Department\nof Treasury.\nBPD has assigned these responsibilities to the Division of Federal Investments (DFI), with the\nexception of interest certification, which is assigned to the Debt Accounting Branch. DFI\nmanages two functional areas: Trust Funds Management Branch (TFMB) and Federal\nInvestments Branch (FIB). FIB is responsible for processing investment transactions for 238\nFederal funds, authorized by law or the Secretary of the Treasury, that comprise the balances of\nthe Government Account Series (GAS). FIB processes these investment transactions based on\ndirection provided by the Federal agencies, which have programmatic responsibility for the use of\nthe fund balances (the Fund Agencies). FIB employs twelve personnel and processes an average\nof 584 transactions daily. FIB also performs the following operational duties:\n    \xe2\x80\xa2   Analyzes provisions and limitations of public laws relating to investments for\n        each account.\n    \xe2\x80\xa2   Establishes and controls the record keeping of Fund Agencies\xe2\x80\x99 accounts by\n        receiving and issuing investment documents such as the Request for Investment\n        and Redemption of Securities, Investment Confirmations and Monthly\n        Statements of Account.\n    \xe2\x80\xa2   Provides daily and monthly reports to Fund Agencies reflecting account activities\n        and balances.\nPrior to February 29, 2012, investment and redemption transaction records were maintained in\nboth paper and electronic form. Subsequent to February 29, 2012, investment and redemption\ntransaction records are maintained in electronic form. Confirmations are available in FedInvest\nand Monthly Statements of Account are available in FedInvest and are also published on the\nTreasuryDirect website for retrieval and review by Fund Agencies. FIB maintains and operates\nthe InvestOne accounting system to perform the operational duties stated above. The InvestOne\naccounting system is a transaction-based accounting system for recording and processing\ninvestment security transactions for each of the accounts and provides information to the Public\nDebt Accounting and Reporting System (PARS) and the Intragovernmental Payment and\nCollection System (IPAC). The InvestOne accounting system computes daily, monthly,\nquarterly, semiannual, and annual interest income for each account for each security held. It also\ncalculates amortization, investment discount and premium for investment and redemption\ntransactions, Inflation Compensation Earned on the Treasury Inflation Protected Securities\n(TIPS), and maintains summary account balances for each account as well as balances by type of\nsecurity. Fund Agencies use FedInvest, a web-based extension of InvestOne, to enter investment\nand redemption requests, view transaction information, and obtain confirmations and reports.\nInternal Fund managers use FedInvest and two additional extensions, Customer Role\nManagement (CRM) and Rate Price Administration (RPA), to process transactions, manage users\nand accounts, and manage the application of pricing, rates, and pending transactions.\nFIB processes investment transactions based on requests from Fund Agencies regarding security\ntype, maturity, and amount. Fund Agencies submit the investment/redemption requests via the\nInternet using FedInvest. Prior to February 29, 2012, if a Fund Agency could not access\nFedInvest, the agency submitted the investment/redemption requests via fax, email, or hard copy\n                                              9\n                                                                Description of Controls Provided\n                                                                by the Bureau of the Public Debt\n\x0cform. Subsequent to February 29, 2012, if a Fund Agency cannot access FedInvest, the agency\ncan submit the investment/redemption requests via email. The investment and redemption\nrequest processing for Fund Agencies is summarized as follows.\nInvestment Request Processing\nTo establish access to FedInvest, the Fund Agency completes a FedInvest Logon-ID Request\nform and provides the form to a supervisor for approval. The supervisor reviews and approves\nthe form and submits the form to FIB. FIB verifies that the information is complete then emails\nthe IT Service Desk to request that the user be added to Contact Management. Once IT Service\nDesk notifies FIB that the user has been added to Contact Management, FIB provides the\nFedInvest Logon-ID Request form to the Division of Systems and Program Support (DSPS)\nInformation System Security Representatives (ISSRs) for user set-up in FedInvest. The Office of\nInformation Technology (OIT) provides the new user with their user ID and temporary password\nand contacts the user to login to FedInvest with the temporary password, answer security\nquestions, and change the password. FIB then coordinates FedInvest training with the new user.\nWhen a FedInvest user is terminated, the Fund Agency uses the same FedInvest Logon-ID\nRequest form as stated above to revoke access and submits the approved form to FIB, who then\nterminates the user\xe2\x80\x99s access.\nFund Agency users access FedInvest using their user ID and password. The Fund Agency user\nselects the Account Fund Symbol (AFS), date, security type, and investment amount in\nFedInvest.\nBefore Prices Loaded \xe2\x80\x93 The FedInvest user may enter investment requests before prices are\nloaded in the system for up to 10 business days in the future except for Zero Coupon Bonds and\nSpecial Issue Certificates of Indebtedness. Upon submission of the request, the user receives a\nconfirmation number which is proof to the Fund Agency that their request was accepted. When\nprices are loaded by the FIB accountant into the InvestOne accounting system, the FIB\naccountant uses the FedInvest RPA module to load the prices into FedInvest, publish them on the\nwebsite, and apply the prices to the pending investment transactions. Once the price has been\napplied to the transaction, it is automatically posted to the InvestOne accounting system\nevidenced by the replacement of the confirmation number with a memo number on the\nconfirmation available to the user in FedInvest.\nAfter Prices Loaded \xe2\x80\x93 The FedInvest user may enter investment requests after prices are loaded\nexcept for Zero Coupon Bonds. Since FedInvest interfaces with the InvestOne accounting\nsystem, the InvestOne accounting system automatically assigns a memo number and applies the\nprice/rate. A confirmation of results is available in FedInvest to FedInvest users.\nZero Coupon Bond securities \xe2\x80\x93 The FedInvest user must enter investment requests by 11:00 am\nEST. FedInvest sends the request by email to the FIB accountants who forward the request to the\nU.S. Department of Treasury\xe2\x80\x99s, Office of Debt Management (ODM) for pricing. ODM prices the\npurchase of the Zero Coupon Bond at approximately 12:00 pm EST and forwards the results to\nFIB by email. The FIB accountant enters the pricing results into the InvestOne accounting\nsystem, posts the transaction, and forwards the memo number to the FedInvest user. A\nconfirmation of results is available in FedInvest to the FedInvest user.\nPrior to February 29, 2012, FIB received investment requests via fax, email, or hard copy from\nFund Agencies if the agency could not access FedInvest. Subsequent to February 29, 2012, FIB\nmay receive investment requests via email from Fund Agencies if the agency cannot access\nFedInvest. A FIB accountant enters the request into FedInvest or the InvestOne accounting\nsystem on behalf of the Fund Agency. Then two FIB accountants compare the transaction\nconfirmation to the investment request to ensure the investment request is recorded accurately,\n                                            10\n                                                              Description of Controls Provided\n                                                              by the Bureau of the Public Debt\n\x0cposted to the correct day, and then digitally stamp the investment request to document their\nreview. A confirmation of results is available in FedInvest to the FedInvest user the same day.\nOn the following business day, a FIB accountant compares the InvestOne report (Prior Day\nReview) to the investment requests submitted by the Fund Agency to ensure transactions were\nproperly entered into the InvestOne accounting system.\n\n\nRedemption Request Processing\nFund Agency users access FedInvest using their user ID and password. The Fund Agency user\nselects the AFS, date, inventory method (First-In First-Out (FIFO) or Specific ID), security type,\nand redemption amount in FedInvest.\nBefore Prices Loaded \xe2\x80\x93 The FedInvest user may enter Market-based bill, note, bond, and TIPS\nredemption requests using the FIFO inventory method before prices are loaded in the system for\nup to 10 business days in the future. Upon submission of the request, the user receives a\nconfirmation number which is proof to the Fund Agency that their request was accepted. When\nprices are loaded by the FIB accountant into the InvestOne accounting system, the FIB\naccountant uses the FedInvest RPA module to load the prices into FedInvest, publish them on the\nwebsite, and apply the prices to the pending redemption transactions. Once the price has been\napplied to the transaction, it is automatically posted to the InvestOne accounting system\nevidenced by the replacement of the confirmation number with a memo number that is also on the\nconfirmation available to the user in FedInvest.\nAfter Prices Loaded \xe2\x80\x93 The FedInvest user may enter Market-based bill, note, bond and TIPS\nredemption requests using the FIFO or Specific ID inventory methods after prices are loaded in\nthe InvestOne accounting system and FedInvest. If Fund Agencies have tax lots (a group of the\nsame securities purchased on different dates) and decide to apply the specific identification\nmethod rather than the FIFO method to redeem from specific tax lots, Fund Agencies need to\nselect \xe2\x80\x9cSpecific ID\xe2\x80\x9d inventory method to override the InvestOne accounting system default\nsetting of the FIFO method, and enter the principal amount to redeem for each tax lot. Since\nFedInvest interfaces with the InvestOne accounting system, the InvestOne accounting system\nautomatically assigns a memo number and applies the price/rate. A confirmation of results is\navailable on FedInvest to FedInvest users.\nSpecial Issue par-value securities - Special par-value securities have unique redemption rules that\nrequire the InvestOne accounting system to redeem them based on the order of earliest maturity\ndate, lowest prevailing interest rate, and FIFO. The FedInvest user receives a confirmation with a\nconfirmation number and a message that the Redemption rules will be applied in accordance with\nTreasury Fiscal Policy. The transaction will be pending until after the close of business on the\neffective date. At close of business (after 3:00 pm EST) on the effective date of the redemption,\nthe FIB accountant uses the FedInvest RPA module to run the Post Par Value Sell Transactions\nthat will process, post, and assign memo numbers to the pending redemption requests in the\nInvestOne accounting system using the unique redemption rules. A confirmation of results is\navailable in FedInvest to the FedInvest users.\n\nZero Coupon Bond securities \xe2\x80\x93 The FedInvest user must enter redemption requests into FedInvest\n(by 11:00 am EST) and FedInvest sends an email to the FIB accountants who forward the request\nto ODM for pricing. ODM prices the redemption of the Zero Coupon Bond at approximately\n12:00 pm EST and forwards the results to FIB via email. The FIB accountant enters the pricing\nresults into the InvestOne accounting system, posts the transaction, and forwards the memo\nnumber to the FedInvest user. A confirmation of results is available in FedInvest to the FedInvest\nusers.\n                                              11\n                                                                 Description of Controls Provided\n                                                                 by the Bureau of the Public Debt\n\x0cPrior to February 29, 2012, FIB received redemption requests via fax, email, or hard copy from\nFund Agencies if the agency could not access FedInvest. Subsequent to February 29, 2012, FIB\nmay receive redemption requests via email from Fund Agencies if the agency cannot access\nFedInvest. A FIB accountant enters the request into FedInvest or InvestOne accounting system\non behalf of the Fund Agency. Then two FIB accountants review and digitally stamp the\nredemption request. A confirmation of results is available in FedInvest to the FedInvest users the\nsame day. On the following business day, a FIB accountant compares the InvestOne report (Prior\nDay Review) to the redemption requests submitted by the Fund Agency to ensure the transactions\nwere properly entered into the InvestOne accounting system.\nFIB obtains and applies open market prices for securities negotiated by brokers and dealers of\ngovernment securities from the U.S. Department of the Treasury\xe2\x80\x99s ODM and the Federal Reserve\nBank (FRB) of New York.\nFIB functions do not encompass monitoring or determining rates, types and maturities of\ngovernment marketable securities. The Office of Information Technology (OIT) provides\napplication security (including passwords), processing, and report programming support to FIB\nincluding regular maintenance programming and user-requested program enhancements.\nThe in-scope BPD functions are shaded in the following organizational chart.\n\n\n\n\n                                              12\n                                                                Description of Controls Provided\n                                                                by the Bureau of the Public Debt\n\x0cORGANIZATIONAL CHART\n\n\n\n\n                                                 (BPD)\n                                        Bureau of the Public Debt\n\n\n                 (OIT)                                                   (OPDA)\n   Office of Information Technology                                   Office of Public\n        IT support for Application Security,                          Debt Accounting\n    Application Processing, and Network Support\n\n\n\n\n                     (DSPS)                                                    (DFI)\n             Division of Systems and                                    Division of Federal\n                Program Support                                            Investments\n\n\n\n         (PSB)                      (SSB)                 (TFMB)                      (FIB)\n       Program                     Systems               Trust Funds                 Federal\n       Support                  Support Branch           Management                Investments\n        Branch                                             Branch                    Branch\n                                                         Federal Trust Fund             Process\n                                                           Management            Investment/Redemption\n                                                                                    Requests for Fund\n                                                                                 Agencies on InvestOne\n                                                                                   Accounting System\n\n\n\n\n                                                  13\n                                                              Description of Controls Provided\n                                                              by the Bureau of the Public Debt\n\x0cRELEVANT ASPECTS OF THE CONTROL ENVIRONMENT, RISK\nASSESSMENT, AND MONITORING\n\nControl Environment\nOperations are primarily under the direction of the Office of the Director of the Division of\nFederal Investment (DFI) and the Director of the DSPS, which represent the functional areas\nlisted below:\n    \xe2\x80\xa2  Administrative development: Coordinates various aspects of FIB operations.\n       Identifies areas requiring internal controls and implements those controls.\n       Performs systems planning, development, and implementation. Reviews network\n       operations and telecommunications and performs disaster-recovery planning and\n       database administration.\n    \xe2\x80\xa2 Fund support: Supports end users (Fund Agencies) in all aspects of their use of\n       the application system including research and resolution of identified problems.\n     \xe2\x80\xa2 Operations: Manages daily computer operations, production processing, report\n       production and distribution, and system utilization and capacity.\nThe DFI and DSPS hold bi-weekly management meetings to discuss special processing requests,\noperational performance, and the development and maintenance of projects in process. Written\nposition descriptions for employees are maintained. The descriptions are inspected annually and\nrevised as necessary.\nReferences are sought and background, credit, and security checks are conducted for all BPD\npersonnel when they are hired. Additional background, credit, and security checks are performed\nevery three to five years. The confidentiality of Fund Agency information is stressed during the\nnew employee orientation program and is emphasized in the personnel manual issued to each\nemployee. BPD provides a mandatory orientation program to all full time employees and\nencourages employees to attend other formal outside training.\nAll BPD employees receive an annual written performance evaluation and salary review. These\nreviews are based on goals and objectives that are established and reviewed during meetings\nbetween the employee and the employee\xe2\x80\x99s supervisor. Completed appraisals are reviewed by\nsenior management and become a permanent part of the employee\xe2\x80\x99s personnel file.\nRisk Assessment\nBPD has placed into operation a risk assessment process to identify and manage risks that could\naffect FIB\xe2\x80\x99s ability to provide reliable transaction processing for users. This process requires\nmanagement to identify significant risks in their areas of responsibility and to implement\nappropriate measures to manage these risks.\nAdditionally, all mission-critical systems and general support systems are subject to an internal\nrisk-based review every three years. This review identifies assets and possible threats to these\nassets, provides a measure of vulnerability of the system to these threats, and confirms control or\nprotective measures are in place.\nMonitoring\nBPD management and supervisory personnel monitor the quality of internal control performance\nas a normal part of their activities. To assist them in this monitoring, BPD has implemented a\nseries of \xe2\x80\x9ckey indicator\xe2\x80\x9d management reports that measure the results of various processes\ninvolved in providing transaction-processing services to Fund Agencies. Key indicator reporting\nconsists of PARS posting summary reports to validate accuracy. All exceptions to normal or\n\n                                              14                 Description of Controls Provided\n                                                                 by the Bureau of the Public Debt\n\x0cscheduled processing through hardware and software, or procedural problems are also logged,\nreported and resolved daily. These reports are inspected daily and weekly by appropriate levels\nof management, and action is taken as necessary.\n\n\n\n\n                                            15                Description of Controls Provided\n                                                              by the Bureau of the Public Debt\n\x0cINFORMATION AND COMMUNICATION\n\nInformation Systems\nInvestOne Accounting System Description\nThe InvestOne accounting system is a vendor supplied subsystem of the Government Agency\nInvestment Services System (GAISS). The InvestOne accounting system is used to record and\nreport investment fund activity processed by FIB. The InvestOne accounting system is licensed\nby SunGard Investment Systems, Inc. (SunGard). The InvestOne accounting system resides on\nBPD\xe2\x80\x99s mainframe. OIT provides the primary support for maintaining the InvestOne accounting\nsystem. This includes mainframe operations (batch processing and reporting), custom report\nwriting, application change management, data management, tape backup and recovery, user\naccess security, remote access, and continuity management. The InvestOne accounting system is\naccessed through the network using a terminal emulator that enables communication with OIT\nmainframe applications. The InvestOne accounting system also provides a report writer package\ncalled Spectra that provides users with the ability to create their own reports. FIB uses Spectra to\ncreate reports, which provide functionality not included in the standard InvestOne reports.\nFIB also receives supporting documentation/reports on a daily basis from internally-developed\nprograms created by programmers. These programs read the data from the InvestOne accounting\nsystem and create various reports to assist in FIB\xe2\x80\x99s daily processing. Specifically, data is\ndownloaded from the InvestOne accounting system to a data file located on the servers where the\nprograms execute. Data is not sent from these programs to the InvestOne accounting system.\nFedInvest Description\nFedInvest, also a subsystem of GAISS, is a vendor-developed, web-based extension to the\nInvestOne accounting system that provides access to the federal investments information through\nthe Internet. FedInvest allows federal investment fund managers to assume direct responsibility\nfor managing their respective accounts. Using FedInvest, federal agencies are able to input\ntransactions into the InvestOne accounting system, as well as view account statements and\ntransaction information over the Internet. Additionally, FedInvest provides an interface to the\nInvestOne accounting system for internal fund managers in BPD\xe2\x80\x99s DFI. FedInvest includes edits\nthat serve to enforce federal investment program policies resulting in improved data quality in the\nInvestOne accounting system.\nFedInvest also includes two extensions that are available only to BPD internal users. The\nCustomer Role Management (CRM) module is used by DSPS ISSRs to manage FedInvest users\nand their access to associated investment account information. CRM is used by FIB accountants\nto manage security type and account information. CRM is also used to create and post broadcast\nmessages (announcements) that are seen by users signed onto the system, and establish email\ncommunication to all system users and their agency Chief Financial Officers. The Rate Price\nAdministration (RPA) module is used by FIB accountants to load rates/prices, publish\nrates/prices on the TreasuryDirect website, apply prices to pending market-based transactions,\npost pending special issue par-value redemption transactions, and update FedInvest with the\nConsumer Price Index (CPI) for processing TIPS transactions.\nCommunication\nBPD has implemented various methods of communication to ensure that all employees\nunderstand their individual roles and responsibilities over transaction processing and controls.\nThese methods include orientation and training programs for newly hired employees, and use of\nelectronic mail messages to communicate time sensitive messages and information. Managers\n\n\n                                               16                Description of Controls Provided\n                                                                 by the Bureau of the Public Debt\n\x0calso hold periodic staff meetings as appropriate. Every employee has a written position\ndescription that includes the responsibility to communicate significant issues and exceptions to an\nappropriate higher level within the organization in a timely manner.\n\n\n\n\n                                              17                 Description of Controls Provided\n                                                                 by the Bureau of the Public Debt\n\x0cCOMPLEMENTARY FUND AGENCY CONTROLS\n\nBPD\xe2\x80\x99s processing of transactions and the controls over the processing were designed with the\nassumption that certain controls would be placed in operation by Fund Agencies. The application\nof specific controls at Fund Agencies is necessary to achieve all control objectives included in\nthis report.\n\nThis section describes some of the controls that should be in operation at user entities to\ncomplement the controls at BPD. Fund Agency auditors should determine whether user entities\nhave established controls to provide reasonable assurance that:\n\n\xe2\x80\xa2   Ensure that access to FedInvest is restricted to properly authorized individuals.\n\n\xe2\x80\xa2   Provide applicable legislation to FIB, and any subsequent legislation revisions, that\n    authorizes the Fund Agency to invest.\n\n\xe2\x80\xa2   Verify the authority to invest prior to submitting investment account set-up and\n    investment/redemption requests.\n\n\xe2\x80\xa2   Ensure that only authorized personnel sign requests or submit transactions in FedInvest.\n\n\xe2\x80\xa2   Ensure that the submission of investment/redemption requests in FedInvest is accurate and\n    completed prior to 3:00 pm EST (11:00 am EST for Zero Coupon Bonds).\n\n\xe2\x80\xa2   Notify FIB if the investment/redemption requests have been processed incorrectly so that\n    correcting transactions may be processed before 3:00 pm EST.\n\n\xe2\x80\xa2   Review investment/redemption/maturity/interest confirmations and Monthly Statements of\n    Account to ensure that each request was processed accurately, timely, and in accordance with\n    Fund Agency instructions.\n\n\xe2\x80\xa2   Track investment/redemption confirmations to ensure that the Fund Agency FedInvest user\n    correctly processes all requests.\n\n\xe2\x80\xa2   Review and reconcile all transaction confirmations to determine that they are accurate and\n    complete, and report discrepancies to FIB so that correcting transactions may be processed\n    before 3:00 pm EST.\n\n\xe2\x80\xa2   Review adjustments and make prompt and appropriate journal entries to the accounting\n    records, to adjust the investment account balances and related interest.\n\n\xe2\x80\xa2   Review Monthly Statements of Account to verify that adjustments were processed completely\n    and accurately.\n\n\xe2\x80\xa2   Ensure that the requested investment returns the appropriate amount of interest to meet\n    investment income goals.\n\n\xe2\x80\xa2   Reconcile interest payments received as presented in the confirmations and Monthly\n    Statements of Account and recalculate interest for accuracy.\n\n\n                                               18                 Description of Controls Provided\n                                                                  by the Bureau of the Public Debt\n\x0c\xe2\x80\xa2   Approve reinvestments of interest after review for accuracy, completeness, and compliance\n    with instructions.\n\n\xe2\x80\xa2   Recalculate interest accrual and amortization of premium and/or discount and compare the\n    results to the BPD provided monthly Accrual Confirmation and Accrual Activity Reports.\n\n\xe2\x80\xa2   Report any interest accrual discrepancies noted on the monthly Accrual Confirmation and\n    Accrual Activity Reports to BPD for resolution.\n\n\xe2\x80\xa2   Report any premium and/or discount amortization discrepancies noted on the monthly\n    Accrual Confirmation and Accrual Activity Reports to BPD for resolution.\n\n\xe2\x80\xa2   Review FIB provided Monthly Statements of Account to ensure that transactions are recorded\n    accurately and timely, and report discrepancies to FIB so correction processes may occur.\n\n\xe2\x80\xa2   Reconcile investment activity from Financial Management Service application CARS\n    Account Statements to the FIB provided Monthly Statements of Account to verify that\n    investment activity is being properly reported by FIB on the Fund Agencies\xe2\x80\x99 behalf.\n\n\xe2\x80\xa2   Review detailed case management transactions to ensure that each request was processed\n    accurately, timely, and in accordance with Fund Agency instructions.\n\nSpecific complementary Fund Agency control considerations are provided for Control Objectives\n5, 8, 9, 10, 11, 13, 14, and 15 in the Control Objectives, Related Controls, and Tests of Operating\nEffectiveness section of this report.\n\n\n\n\n                                              19                 Description of Controls Provided\n                                                                 by the Bureau of the Public Debt\n\x0cSUB-SERVICE ORGANIZATIONS\n\nIn order to provide investment/redemption processing services, FIB relies on systems and\nservices provided by other organizations external to BPD (sub-service organizations). The\nfollowing table describes the types of the sub-service organizations used by FIB. These sub-\nservice organizations were not subject to examination by KPMG LLP.\n\n Name of Sub-service Organization                  Function/Responsibilities\n\n\n                                     On a daily basis, FIB obtains Treasury Price Quote\n Federal Reserve Bank (FRB) of New\n                                     files via digital certificate from a secure FRB\n York\n                                     website. FIB uses these price quote files to\n                                     calculate the market-based security prices that can\n                                     be loaded into the InvestOne accounting system\n                                     and compared to the price files provided by ODM.\n                                     On a daily basis, the ODM provides FIB the daily\n U.S. Department of the Treasury \xe2\x80\x93\n                                     security price files for market-based transactions.\n Office of Debt Management (ODM)\n                                     Additionally, as needed, ODM provides FIB with\n                                     the Zero Coupon Bond pricing. ODM provides\n                                     FIB the Daily Market Quotations on Most\n                                     Recently Auctioned Treasury Bills used for the\n                                     rate for the one-day certificates.\n                                    Treasury\xe2\x80\x99s FMS provides daily and monthly reports\n U.S. Department of the Treasury \xe2\x80\x93\n                                    to FIB, including IPAC reports, and Central\n Financial Management Service (FMS)\n                                    Accounting and Reporting System (CARS) account\n                                    statements. FIB uses these reports to verify the\n                                    accurate posting of transactions and data.\n\n\n\n\n                                           20               Description of Controls Provided\n                                                            by the Bureau of the Public Debt\n\x0cIV.   CONTROL OBJECTIVES, RELATED CONTROLS, AND\n          TESTS OF OPERATING EFFECTIVENESS\n\n\n\n\n                     21   Control Objectives, Related Controls, and\n                                   Tests of Operating Effectiveness\n\x0cGENERAL COMPUTER CONTROLS\n\nControl Objective 1 \xe2\x80\x93 System Software\nControls provide reasonable assurance that changes to system software are authorized, tested,\napproved, properly implemented, and documented.\nDescription of Controls\nThe Bureau of the Public Debt (BPD) has documented procedures for the authorization, testing,\napproval, implementation, and documentation of system software changes.\nThe InvestOne accounting system operates within a mainframe environment 1. The FedInvest\nsystem is operated within a client-server environment 2,3. Mainframe and client-server system\nsoftware products are under vendor control for maintenance and support. Upgrades to these\nproducts are obtained from the vendors and installed by the Office of Information Technology\n(OIT) specialists.\nFor system software changes, BPD uses the iET product for change management. All system\nsoftware changes (i.e., new product installations, maintenance upgrades, etc.) require a change\nrecord to be opened in iET. A change record can be opened by any specialist in OIT\xe2\x80\x99s division\nresponsible for effecting such changes or the change control coordinator. The iET change record\nincludes a description of the change, implementation date of the change, a justification, and a\nback-up/back-out plan.\nChanges are initially discussed at the weekly change control meetings. Attendees include OIT\nrepresentatives impacted by the proposed change. Notification is sent to the assistant\ncommissioner, division directors, branch managers and/or staff personnel. Following the\nmeeting, the change control coordinator prepares and distributes the Weekly Change Control\nMemorandum with information on changes for the upcoming week. This memorandum describes\nthe system changes, effective dates, reasons for changes or problems the changes will resolve.\nThere is also a reference to the iET change control number.\nBefore system software changes can be moved to production, they are tested in accordance with\nthe BPD\xe2\x80\x99s system software change control procedures. These procedures document the\nauthorization, testing, approval, implementation, and documentation requirements for system\n\n1\n    Which consists of the following system software products:\n       \xe2\x80\xa2    z/OS Operating System\n       \xe2\x80\xa2    Customer Information Control System (CICS)\n       \xe2\x80\xa2    ACF2 Security\n       \xe2\x80\xa2    Tape Management System (TMS)\n       \xe2\x80\xa2    Control M and D (Production and Print scheduling)\n       \xe2\x80\xa2    ETF/A (Emergency Change Control)\n       \xe2\x80\xa2    MQSeries\n       \xe2\x80\xa2    DB2\n2\n    The FedInvest system is composed of the following system software components:\n        \xe2\x80\xa2    Spring\n        \xe2\x80\xa2    Hibernate\n        \xe2\x80\xa2    Java Server Faces\n        \xe2\x80\xa2    JAVA\n        \xe2\x80\xa2    Windows Server 2003\n        \xe2\x80\xa2    Sybase\n        \xe2\x80\xa2    WebSphere Application Server\n3\n    Reliant Services:\n        \xe2\x80\xa2     LDAP access to Enterprise Directory Services\n        \xe2\x80\xa2     SMTP access to Domino messaging service\n\n                                                                22        Control Objectives, Related Controls, and\n                                                                                   Tests of Operating Effectiveness\n\x0csoftware changes. Changes progress through various environments, which differ according to the\ntype of system infrastructure. For the mainframe, there are three separate environments: test,\nacceptance, and production. Each environment is a logical environment with its own datasets\nand libraries. Mainframe changes are first tested by a programmer in the test environment;\nmoved to acceptance, tested, and then changes are moved to the production environment\nfollowing approval. For changes to distributed software, changes are promoted up through\nintegration, acceptance, and production regions within similar controls described above.\nAll changes are reviewed and coordinated at the weekly change control meeting, and approved by\nthe change control coordinator prior to being moved into the production environment.\nAll emergency changes follow the same process as indicated above, with the exception that\nchanges move through the environments at an accelerated rate. Testing and approval of these\nchanges are documented in iET.\nBPD has established a process that allows system programmers and database administrators to\nhave temporary access to the Production mainframe environment through the use of a \xe2\x80\x9cfire-call\xe2\x80\x9d\nID product that allows them elevated privileges for system software and application changes.\nThe operating system is configured to monitor and log such activity for review and approval by\nmanagement; management reviews these logs within a reasonable timeframe after the use of\n"fire-call".\nOIT reviews the use of sensitive system utilities included in the protected programs group on a\nweekly basis and limits access to these programs based on job responsibility.\n\nTests of Operating Effectiveness and Results of Testing\n\n1. Inspected written procedures for system software configuration management and determined\n   that procedures were documented, including procedures to document, test, authorize, and\n   approve system software changes, and properly implement changes into production.\n\n2. Inspected the emergency system software change procedures and determined that procedures\n   for implementing emergency system software changes were documented, including approval\n   by management.\n\n3. Inspected vendor maintenance support contracts for system software and determined that the\n   contracts existed and were current.\n\n4. For a selection of system software change records, inspected iET tickets and determined that\n   iET was used throughout the examination period to log, track, and monitor system software\n   changes.\n\n5. For a selection of dates, inspected Weekly Change Control Memorandums and determined\n   that weekly change control meetings were held to discuss planned changes with the potential\n   to impact the InvestOne accounting system or FedInvest application system software.\n\n6. For a selection of system software changes and emergency system software changes,\n   inspected supporting documentation and determined that the changes were tested, authorized,\n   and approved prior to implementation.\n\n7. Inspected a list of users with access to use fire-call and determined that the list was\n   commensurate with job responsibilities.\n\n\n\n                                            23        Control Objectives, Related Controls, and\n                                                               Tests of Operating Effectiveness\n\x0c8. For a selection of days, inspected fire-call logs and evidence of review, and determined that\n   fire-call logs were reviewed by OIT management.\n\n9. For a selection of weeks, inspected evidence of OIT\xe2\x80\x99s review of reports for sensitive system\n   utilities in the protected programs group and determined that the reports were reviewed.\n\nNo exceptions noted.\n\n\n\n\n                                             24       Control Objectives, Related Controls, and\n                                                               Tests of Operating Effectiveness\n\x0cControl Objective 2 \xe2\x80\x93 Vendor Software\nControls provide reasonable assurance that implemented new releases of vendor-supplied\napplications are authorized, tested, approved, properly implemented, and documented.\nDescription of Controls\nBPD has documented procedures for the testing and authorization of new releases of vendor\nsupplied applications. The change control process is under the control and direction of the Office\nof Public Debt Accounting (OPDA).\nThe InvestOne accounting system is licensed by SunGard Investment Systems, Inc (SunGard).\nBPD has a maintenance and support contract for the InvestOne accounting system with SunGard.\nOIT is responsible for of all maintenance and support of the FedInvest system.\nSunGard periodically provides new releases of the InvestOne accounting system, including\ndocumentation. Each new release requires comprehensive testing. The Division of Systems and\nProgram Support (DSPS) tests the new InvestOne accounting system releases developed by\nSunGard consistent with change control procedures for OPDA systems. New InvestOne\naccounting system releases are installed in the Test environment where they are initially tested.\nAfter successful completion of testing, OIT migrates the InvestOne accounting system new\nrelease to the Acceptance environment, where it is subjected to acceptance testing by users. OIT\nonly installs an InvestOne accounting system new release in the Production environment after all\ntesting has been successfully completed and management has approved the InvestOne accounting\nsystem new release for implementation in the Production environment. BPD loaded InvestOne\nversion 9.1 in December 2010.\nIn addition to new releases, SunGard will periodically provide fix tapes for the InvestOne\naccounting system. Fix tapes, which address certain InvestOne accounting system issues, are\nnarrower in scope than new releases. Based on what changes a particular fix tape includes, BPD\nmanagement will decide whether or not to implement the fix tape. If BPD management decides\nto implement the fix tape, the fix tape is migrated through the Test and Acceptance environments.\nFix tapes are installed in the Production environment only after successful completion of testing\nin the Test and Acceptance environments and management approval for migration into the\nProduction environment.\nDSPS also tests changes to the InvestOne accounting system application reports, developed by\nSunGard Investment Systems, Inc. using the same change control procedures described above.\nIn addition, BPD uses the version control software to manage the upgrades and enhancements.\nChanges are only migrated into the production environment once all responsible parties approve\nthe change in the version control software. Access to migrate changes via the version control\nsoftware is limited based on job responsibility.\n\nTests of Operating Effectiveness and Results of Testing\n\n1. Inspected procedures for the implementation of new releases of vendor supplied applications,\n   and determined that they were documented and included requirements for authorization,\n   testing, documentation, and approval.\n\n2. Inspected vendor maintenance support contracts for the InvestOne accounting system\n   software and determined that the contracts existed and were current.\n\n3. For new InvestOne releases, inspected supporting documentation and determined that the\n   enhancements were tested, approved, properly implemented and documented.\n\n                                              25       Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0c4. There were no fix tapes implemented during the examination period. We inquired of\n   management regarding the fix tape implementation process and inspected the listing of\n   vendor software changes and enhancements and determined that there were no fix tapes\n   recorded.\n\n5. Inspected version control software access permissions and determined that access\n   permissions to migrate changes to the production environment were restricted commensurate\n   with job responsibilities.\n\nNo exceptions noted.\n\n\n\n\n                                           26       Control Objectives, Related Controls, and\n                                                             Tests of Operating Effectiveness\n\x0cControl Objective 3 \xe2\x80\x93 Program Change Control\nControls provide reasonable assurance that development of new applications and changes to\nexisting applications are authorized, tested, approved, properly implemented, and documented.\nDescription of Controls\nBPD has documented procedures for the authorization, testing, approval, implementation, and\ndocumentation of application software changes. The application change control process is under\nthe control and direction of OPDA.\nSunGard has custom built additional application components for data entry and reporting.\nIncluded is the FedInvest application, which functions as a web-based user interface that Fund\nAgencies can use for entering transactions into the InvestOne accounting system. For reporting,\nBPD has built internally-developed programs utilizing RM (desktop) COBOL and mainframe\nCOBOL that generate customized reports to provide information unavailable in the standard\nInvestOne accounting system reporting package.\nFor RM COBOL, OIT uses a version control software 4 to control access to source code for these\ninternally-developed programs and to facilitate version control by requiring developers to check\nsource code in and out using version control software. These programs read the data from the\nInvestOne accounting system and create reports. Specifically, data is downloaded from\nInvestOne accounting system, using standard processes, to a data file on the mainframe then via\nftp to the servers where the programs execute. Data is not sent from these programs to the\nInvestOne accounting system. The reports are used by the trust fund managers, sent to Fund\nAgencies, or sent to U.S. Department of Treasury\xe2\x80\x99s Financial Management Service, the Office of\nDebt Management and Office of Fiscal Projection. The Congressional Budget Office also\nreceives reports generated from the InvestOne accounting system.\nFor mainframe COBOL, OIT uses a version control software 5 to control access to source code for\nthese internally-developed programs and to facilitate version control. These programs were\ndeveloped by OIT and reside on the mainframe, where these programs execute.\nFor FedInvest and customized reports, OIT uses a version control software 6 to control access to\nsource code for the vendor supplied and BPD managed programs to facilitate version control.\nChanges to FedInvest were developed by SunGard between August 1, 2008 and September 30,\n2008 and by OIT between October 1, 2008 and July 31, 2009.\nDSPS provides support for the design and testing of the above changes. DSPS creates the\nrequirements documentation, which is then provided to OIT (or SunGard) for development.\nDSPS manages the request, documentation, testing, and approval process using a Change Control\nChecklist and iET.\nChanges using version control software progress through four separate environments: Test\nIntegration, Acceptance, and Production. A change is first tested by the programmer in the Test\nor Integration environment. It is then migrated to the Acceptance environment where a user tests\nthe change using example transactions and Acceptance environment files and libraries.\nEach change is reviewed by the user groups that are affected by the change, and each group\nprovides user concurrence that they accept the change. Following user concurrence, a senior staff\nmember reviews the testing materials and completes the Change Control Checklist indicating that\n\n\n4\n  Microsoft Visual Source Safe\n5\n  Endevor\n6\n  ClearCase\n\n                                             27        Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0ctesting has been completed. The package is provided to the DSPS Branch Manager for final\nreview and approval.\nOnce the DSPS Branch Manager approves the change, DSPS sends a Network Services Request\nto OIT to move the change into the Production environment. Upon notification of an accepted\nchange, OIT creates an update package in version control software. Only approved changes are\ninstalled in the Production environment.\nFor mainframe COBOL, the version control software is an application through which users\napprove changes. This version control software is also used to move changed program files into\nthe Production environment. This version control software will not allow changes to be migrated\nfrom the Acceptance environment into production until the changes have been approved. Access\nto migrate changes to Production via the version control software change control software is\nlimited based on job responsibility.\n\nTests of Operating Effectiveness and Results of Testing\n\n1. Inspected application software change procedures and determined that they were documented\n   and included requirements for authorization, testing, documentation, and approval.\n\n2. Inspected the access permissions and inquired of OIT management and determined that\n   access to source code for internally-developed programs was commensurate with job\n   responsibilities.\n\n3. Inspected the access control lists for FedInvest and customized reports version control\n   software and determined that access to the source code for FedInvest was commensurate with\n   job responsibilities.\n\n4. Inspected a selection of change records in iET and determined that iET was used throughout\n   the examination period to log, track, and monitor application software changes.\n\n5. For a selection of application software changes, inspected supporting documentation and\n   determined that the changes were tested and approved.\n\n6. Inspected version control software access permissions and determined that access\n   permissions to migrate changes to the production environment were restricted commensurate\n   with job responsibilities for mainframe COBOL and FedInvest.\n\nNo exceptions noted.\n\n\n\n\n                                            28        Control Objectives, Related Controls, and\n                                                               Tests of Operating Effectiveness\n\x0cControl Objective 4 \xe2\x80\x93 Physical Access\nControls provide reasonable assurance that physical access to computer equipment and storage\nmedia is restricted to authorized individuals.\nDescription of Controls\nBPD has documented policies and procedures for controlling physical access to BPD buildings\nand to the data center. These include:\n     \xe2\x80\xa2     Identification of sensitive/critical areas to which access needs to be restricted.\n     \xe2\x80\xa2     Physical access controls designed to detect unauthorized access.\n     \xe2\x80\xa2     Procedures for log reviews and investigation of violations.\nThe InvestOne accounting system mainframe and FedInvest servers reside in OIT\xe2\x80\x99s data center.\nVarious physical access controls protect the facilities. 7\nThe Security Branch issues employee badges, after performing security background checks and\nfingerprinting.\nEmployees are required to have badges available at all times upon request.\nTerminated employees are required to surrender identification badges and are removed from the\ndatabase security system immediately.\nPhysical access to the OIT Data Center is restricted to authorized users only. An employee\nneeding access to the data center must have his/her Branch Manager request access. The requests\nare made through iET, a workflow system that is used to approve data center access. After the\nBranch Manager completes and submits the iET request form, requests are forwarded to OIT\'s\ndata center managers for approval in the iET. If OIT approves the request, the BPD Division of\nSecurity and Emergency Preparedness (DSEP) Security Branch grants access. Access to all\nsensitive areas requires use of a badge. The use of a badge provides an audit trail that is reviewed\nby OIT management monthly for potential access violations. Any unauthorized access attempts\nare followed-up on by contacting the individual\xe2\x80\x99s supervisor. Individuals without badge access to\nthe data center must be escorted to the command center and are required to sign in/out of a Visitor\nlog to be issued a data center visitor badge. Visitor badges do not have access to the data center,\nbut rather designate the individual as a visitor. A visitor log is maintained at the main entrance to\nthe data center. 8\nOIT performs a monthly review of individuals\xe2\x80\x99 access patterns of the data center for the previous\nmonth. OIT performs a semiannual reconciliation of individuals authorized data center access to\nindividuals granted data center access by DSEP. Additionally, OIT performs an annual review\nand recertification of individuals with access to the data center. If an individual is found to have\nunauthorized data center access, OIT will, based on the individual\xe2\x80\x99s need for access, make a\ndecision whether to request that DSEP remove their data center access or whether to provide\nauthorization for their access.\n\n\n\n7\n  Armed security guards man and monitor BPD facilities 24 hours a day, 7 days a week. A digital video camera system monitors all\nentrances, the building perimeter, and certain interior areas, including the data center, and records activity 24 hours a day. All people\nentering each building are required to place any materials, packages, bundles, etc. onto an x-ray machine. Entrants are also required to\npass through a walkthrough metal detector. An activation of the walkthrough metal detector results in further screening by the\nsecurity guard, utilizing a handheld metal detector to identify the source of activation. In addition, entrants must swipe their badges\ninto an access control system that grants access to authorized personnel.\n8\n  Only designated DSEP specialists have access to PACS. Vendors that are authorized to have a badge are issued a One-day badge\nand must leave their access badge onsite following completion of work in the data center. A log of One-Day badges is maintained and\nreviewed weekly .\n\n                                                                29            Control Objectives, Related Controls, and\n                                                                                       Tests of Operating Effectiveness\n\x0cTests of Operating Effectiveness and Results of Testing\n\n\n\n1. Inspected physical access policies and procedures for the data center and determined that they\n   were documented and included the identification of sensitive/critical areas to which access\n   needs to be restricted, physical access controls designed to detect unauthorized access, and\n   procedures for log reviews and investigation of violations.\n\n2. Observed physical access controls of BPD buildings and the OIT data center and noted that\n   security guards, video cameras, badge readers, displayed badges by employees, and locked\n   doors were in place and in operation to restrict access.\n\n3. Observed persons entering BPD buildings and noted that persons were required to place any\n   materials, packages, bundles, etc. onto an x-ray machine, and additionally were required to\n   pass through a walkthrough metal detector.\n\n4. Observed persons entering BPD buildings and noted that an activation of the walkthrough\n   metal detector resulted in further screening by the security guard, utilizing a handheld metal\n   detector to identify the source of activation.\n\n5. Observed entrants swipe their badges into the access control system and noted that the\n   controls system granted access to authorized personnel.\n\n6. For a selection of personnel granted data center access, inspected supporting documentation\n   and determined that access badges were issued to personnel with a completed background\n   check and fingerprinting.\n\n7. Observed employees within the BPD buildings and noted that badges were displayed.\n\n8. Inspected the data center access list and compared to a list of separated employees and\n   determined that separated employees were removed from the badge reader system.\n\n9. Inspected a list of employees with card key access to the data center and tape storage room\n   from the card security system and an organizational chart showing employees requiring\n   access to the data center and tape storage room and determined that physical access to the\n   OIT data center was restricted to authorized employees only.\n\n10. For a selection of employees and contractors granted access to the data center during the\n    examination period, inspected the iET record for the access granted and determined that\n    access was approved by the data center manager.\n\n11. Inspected permissions to access the PACS badge system of BPD security management, and\n    determined that access permissions to the physical access systems were commensurate with\n    job responsibilities.\n\n12. For a selection of months, inspected evidence of the monthly review of violation logs and\n    determined that a review to identify unauthorized access attempts was performed. We\n    determined that there were no violations for the selections and follow-up was not required.\n\n\n\n\n                                             30        Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0c13. For a selection of dates, inspected visitor logs and determined that visitor logs were reviewed\n    by OIT management.\n\n14. For a selection of days, inspected shift logs and determined that an inventory of vendor\n    badges was performed.\n\n15. Inspected documentation of the monthly review of physical access privileges to the data\n    center and determined that access privileges were reviewed.\n\n16. Inspected documentation of the annual recertification of physical access privileges to the data\n    center and determined that access privileges were recertified.\n\nNo exceptions noted.\n\n\n\n\n                                              31        Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cControl Objective 5 \xe2\x80\x93 Logical Access\nControls provide reasonable assurance that logical access to system and application software is\nrestricted to authorized individuals.\nDescription of Controls\nBPD has guidelines for the preparation of security plans for applications and systems that process\nSensitive but Unclassified information. All mission-critical systems and general support systems\nare subject to an internal risk-based review every three years. This review identifies assets and\npossible threats to these assets, provides a measure of vulnerability of the system to these threats,\nand confirms control or protective measures are in place.\nThe InvestOne accounting system is classified as a mission-critical system.\nInvestOne accounting system security along with the host mainframe\xe2\x80\x99s security package controls\naccess to the InvestOne accounting system. InvestOne accounting system security restricts access\nto accounts within the system based on user banks and user identification (UID). InvestOne\naccounting system access is restricted to authorized personnel. The security settings are also used\nto restrict OIT personnel\xe2\x80\x99s access to system software, data files, and program libraries.\nFedInvest is a web-based user interface through which users have access to enter transactions into\nand view InvestOne accounting system data. External users are limited to accessing InvestOne\naccounting system data through FedInvest. External users that invest in Government Account\nSeries (GAS) securities are able to connect to FedInvest over the Internet to input transactions\ninto the InvestOne accounting system as well as to view account statements and transaction\ninformation.\nAdministrator access permissions are allocated in the FedInvest and the InvestOne accounting\nsystem users commensurate with their job responsibilities.\nOPDA follows BPD system administration security password guidelines/procedures to establish\nand maintain passwords. 9 Passwords are not displayed when entered. The reserved word feature\nis enabled to prevent the use of commonly used words in passwords.\nInformation System Security Representatives (ISSRs) manage access to the InvestOne accounting\nsystem. Users must complete and submit an Access Request/ Revoke Form to the Division of\nFederal Investments (DFI) who approves the form and forwards to DSPS before access is\ngranted. DFI personnel authorize the form and forward to OPDA ISSRs to process the request.\nDSPS has documented procedures for granting access. Modifications to user accounts require use\nof the same Access Request/Revoke Form.\nExternal users must have their supervisor\xe2\x80\x99s approval along with DFI approval documented on an\nAccess Request/Revoke form before access is granted to FedInvest. When an external user\naccesses InvestOne accounting system data, they enter a user ID and password into FedInvest.\nUser IDs are authenticated by a security utility10. If the required authentications failed, the user\nwould be prevented from accessing InvestOne accounting system data through FedInvest.\nISSRs remove FedInvest and InvestOne accounting system access from users at the request of\ntheir managers/supervisors or FIB personnel. Each access removal request is documented on an\nAccess Request/Revoke Form.\n\n\n9\n  These guidelines require passwords to be at least 8 characters in length, changed every 30 days for ACF2 and every 90 days for\nLDAP, and unique for each individual.\n10 BPD\'s standard authentication utility, BPDLogin, is used to authenticate users. User credentials are stored in BPD\'s enterprise\ndirectory.\n\n                                                               32            Control Objectives, Related Controls, and\n                                                                                      Tests of Operating Effectiveness\n\x0cOn a routine basis, ISSR reviews Internal Violations Reports for any inappropriate activity;\nfollow-up is notated on the report.\nAdditionally, on a periodic basis an ISSR reviews a report of all InvestOne accounting system\nuser IDs that have not been used to access InvestOne accounting system within a predetermined\nnumber of days 11. The ISSR follows up with any affected users by email or by phone.\nAdditionally, OPDA recertifies access to mission critical systems by verifying access privileges\nfor all InvestOne accounting system and FedInvest users. DSPS ISSRs remove or modify any\nuser IDs or access privileges identified for deletion or changes by the user\xe2\x80\x99s manager/supervisor\nor DFI personnel when accompanied by a revoke form.\n\nComplementary Fund Agency Controls\n\nFund Agencies should establish controls to:\n\n\xe2\x80\xa2       Ensure that access to FedInvest is restricted to properly authorized individuals.\n\nTests of Operating Effectiveness and Results of Testing\n\n1. Inspected the relevant Certification and Accreditation (C&A) of the InvestOne accounting\n   system and FedInvest systems and determined that the system had been authorized to operate.\n\n2. Inspected the InvestOne accounting system and FedInvest risk assessment and determined\n   that a risk assessment was performed.\n\n3. Inspected the InvestOne accounting system and FedInvest security plan and determined that\n   the plan was documented.\n\n4. Observed a user log into the InvestOne accounting system and the FedInvest system and\n   noted that their access was restricted in accordance with the system configuration.\n\n5. For each InvestOne accounting system user, compared access granted to an OPDA\n   Organization Chart and determined that access privileges were commensurate with job\n   responsibilities.\n\n6. Inspected security guidelines and procedures for administrator privileges InvestOne\n   accounting system and FedInvest and determined that security guidelines and procedures\n   were documented for the administrator privileges.\n\n7. Inspected a list of users with administrator access privileges to InvestOne accounting system\n   and FedInvest and determined that access was limited commensurate with job\n   responsibilities.\n\n8. Inspected an OPDA Organizational Chart and determined that administrator access was\n   commensurate with job responsibilities.\n\n9. Inspected security password guidelines and procedures for InvestOne accounting system and\n   FedInvest and determined that password parameters were documented.\n\n\n\n11\n     A list of InvestOne users that have not logged into InvestOne for 45 days or more is reviewed monthly.\n\n                                                                 33           Control Objectives, Related Controls, and\n                                                                                       Tests of Operating Effectiveness\n\x0c10. Inspected password settings for InvestOne accounting system and FedInvest and determined\n    that password length, complexity, and expiration settings were configured in accordance with\n    BPD requirements.\n\n11. Observed a user log into InvestOne accounting system and FedInvest and noted that their\n    password was masked as they entered it.\n\n12. For a selection of new InvestOne users, inspected documented user access request forms and\n    determined that access was authorized by FIB and the user\xe2\x80\x99s supervisor.\n\n13. For a selection of new FedInvest users, inspected documented user access request forms and\n    determined that access was authorized by FIB and the user\xe2\x80\x99s supervisor.\n\n14. Inspected a list of all separated and transferred BPD employees and lists of InvestOne\n    accounting system and FedInvest user IDs and determined that access to InvestOne\n    accounting system and FedInvest had been revoked for terminated and transferred BPD\n    employees.\n\n15. For a selection of weeks, inspected reports listing InvestOne accounting system security\n    administrator actions entered into the system and determined that the reports were reviewed\n    by an ISSR and any exceptions were followed-up.\n\n16. For a selection of weeks, inspected ACF2 InvestOne accounting system audit log reports and\n    evidence of review, and determined that the reports were reviewed by an ISSR and any\n    exceptions were followed-up.\n\n17. For a selection of months, inspected evidence of review and removal of inactive accounts and\n    determined that inactive user accounts were reviewed and removed on a monthly basis.\n\n18. Inspected documentation of the review and recertification of internal InvestOne accounting\n    system and FedInvest user access and determined that internal InvestOne accounting system\n    and FedInvest user access were reviewed and recertified.\n\n19. For a selection of external FedInvest users, inspected documentation of the review and\n    recertification of external FedInvest user access and determined that external FedInvest user\n    access were reviewed and recertified.\n\n20. For a selection of user account recertification reviews requesting removal of user access\n    privileges, inspected InvestOne accounting system and FedInvest user lists, and determined\n    that requested modifications were made.\n\nNo exceptions noted.\n\n\n\n\n                                             34        Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cControl Objective 6 \xe2\x80\x93 Computer Operations\nControls provide reasonable assurance that computer processes are scheduled appropriately and\ndeviations are identified and resolved.\nDescription of Controls\nThe InvestOne accounting system is an interactive mainframe system with master data files that\nare updated when entries are posted. End-of-day processes perform maintenance to the data\nfiles and data backups. OIT support personnel complete the Production Control Daily Checklist\nto verify the successful completion of end-of-day processes. Data entry error checking and input\nscreen designs help ensure that the data entered by the users is accurate and complete. The error\nchecks include verification of entered data based on predetermined values and ranges. Errors\ndetected by the system are rejected immediately and must be corrected before the transaction is\npermitted to update the master data tables.\nDaily user operations procedures are posted for the InvestOne accounting system to provide\noperators with the information necessary to sequentially complete daily processing. Additionally,\na monthly calendar is posted that highlights the daily requirements. The InvestOne accounting\nsystem configuration requires that daily reporting be performed in sequence before transaction\nprocessing can begin. OIT completes the Production Control Monthly Checklist to verify the\nsuccessful completion of end-of-month processes.\nThe mainframe job scheduler software controls the scheduling of batch jobs for the InvestOne\naccounting system. The job scheduler allows all programs for batch processing, printing and data\nbackup to be scheduled and performed automatically. Access to the job schedules is limited to\nOIT support personnel and privileges are commensurate with job responsibilities. The job\nscheduler sends messages confirming successful completion of each day\xe2\x80\x99s scheduled jobs to OIT\nand DSPS. Any abends are also communicated to the appropriate OIT and OPDA personnel as\nthey happen through automated messages. Abends are resolved and jobs are restarted as\nnecessary through the job scheduler.\n\nTests of Operating Effectiveness and Results of Testing\n\n1. For a selection of dates, inspected Production Control Daily Checklists and determined that\n   the checklists were used during processing.\n\n2. Observed transactions entered into the InvestOne accounting system and determined that\n   error checking edits prevented users from entering values of the wrong data type or values not\n   on lookup lists.\n\n3. Inspected posted daily user operations for InvestOne accounting system and FedInvest, the\n   FIB Daily Procedures, and the monthly requirements calendar and determined that these\n   schedules and procedures were available.\n\n4. For a selection of months, inspected Production Monthly Checklists and determined that the\n   checklists were used during month-end processing.\n\n5. Inspected the InvestOne accounting system job schedule and determined that a job production\n   schedule for the InvestOne accounting system was documented.\n\n\n\n\n                                             35        Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0c6. Inspected privileges of individuals granted access to make modifications to schedules and job\n   control language for production jobs in the mainframe job scheduler and inquired of\n   management regarding job responsibilities, and determined that access privileges were\n   limited commensurate with job responsibilities.\n\nNo exceptions noted.\n\n\n\n\n                                             36       Control Objectives, Related Controls, and\n                                                               Tests of Operating Effectiveness\n\x0cControl Objective 7 \xe2\x80\x93 Network Performance Monitoring\nControls provide reasonable assurance that network performance monitoring techniques are\nimplemented appropriately.\nDescription of Controls\nUsers must be connected to the BPD network to access the InvestOne accounting system.\nAdditionally they must run terminal emulation software to connect to the mainframe\nenvironments. Network performance and availability is monitored by OIT at all times. 12\n\nTests of Operating Effectiveness and Results of Testing\n\n1. Observed OIT Command Center staff and noted that monitoring tools were used to monitor\n   the performance and availability of BPD networking equipment, such as switches and\n   firewalls.\n\n2. Observed OIT Command Center staff and noted that tools were used to monitor the\n   performance and availability of the FedInvest website.\n\n3. Inquired of management and were informed that the OIT Command Center was staffed 24\n   hours a day.\n\nNo exceptions noted.\n\n\n\n\n12\n   Using the following utilities:\nA combination of monitoring tools (ManageEngine OP Manager and HP Sitescope) are used to monitor networking equipment such as\nswitches and firewalls. These tools automatically report any network equipment or application outages to the Network Operations\nCenter.\n\n                                                           37           Control Objectives, Related Controls, and\n                                                                                 Tests of Operating Effectiveness\n\x0cINVESTMENT/REDEMPTION PROCESSING CONTROLS\n\nControl Objective 8 \xe2\x80\x93 Item Processing Security\n\nControls provide reasonable assurance that an authorized investment authority is established prior\nto processing investment requests.\n\nDescription of Controls\n\nThe Office of the Fiscal Assistant Secretary (OFAS) prepares the Department of the Treasury\nOperating Circular (Operating Circular) that communicates the policies and procedures regarding\nthe government accounts on the books of the Treasury that the Secretary of the Treasury has been\nauthorized or directed by law to invest. The Operating Circular describes the government\ninvestment account responsibilities that the Treasury has, and the fiscal responsibility the Fund\nAgencies have for the use of the invested funds.\n\nThe Operating Circular also describes the process for how Treasury issues approval of the Fund\'s\ninvestment authority. FIB creates new investment accounts in the InvestOne accounting system\nthat will be available in FedInvest after FIB receives confirmation that the BPD Chief Counsel\xe2\x80\x99s\noffice and Assistant General Counsel for Banking and Finance completed the legal review of the\nFund\xe2\x80\x99s investment authority or receives a completed Memorandum of Understanding (MOU)\nbetween Treasury\'s OFAS and the Fund Agency.\n\nBPD Chief Counsel\xe2\x80\x99s office maintains records concerning all legal matters with regards to new\nand existing investment funds.\n\nComplementary Fund Agency Controls\n\nFund Agencies should establish controls to:\n\n\xe2\x80\xa2   Provide applicable legislation to FIB, and any subsequent legislation revisions, that\n    authorizes the Fund Agency to invest.\n\n\xe2\x80\xa2   Verify the authority to invest prior to submitting investment account set-up and\n    investment/redemption requests.\n\n\xe2\x80\xa2   Ensure that only authorized personnel sign requests or submit transactions in FedInvest.\n\nTests of Operating Effectiveness and Results of Testing\n\n1. For a new account creation, observed FIB personnel process the account request and\n   determined that FIB approved the investment account and obtained authorized investment\n   authority in accordance with the documented procedures.\n\n2. For a selection of investment accounts created during the examination period, inspected\n   documentation of approval from Treasury for their creation and determined that approval\n   from Treasury was received prior to the creation of investment accounts.\n\nNo exceptions noted.\n\n\n\n\n                                              38       Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cControl Objective 9 \xe2\x80\x93 Item Capture\n\nControls provide reasonable assurance that investment and redemption requests are processed and\nrecorded accurately and prepared in a timely manner.\n\nDescription of Controls\n\nFund Agencies log on to FedInvest to enter their investment and redemption requests prior to the\n3:00 pm EST deadline (11:00 am EST for Zero Coupon Bonds). Investment options include: (1)\nMarket-based bills, notes, bonds, Treasury Inflation Protected Securities (TIPS); (2) One-day\ncertificates; (3) special issue par-value securities for agencies with proper legislative authority;\nand (4) Zero Coupon Bonds. Procedures for processing investment and redemption requests by\nFIB accountants on behalf of the Fund Agency are documented for each type of transaction. For\nnew market-based securities auctioned by Treasury, FIB accountants manually set up the new\nsecurities with a Committee on Uniform Securities Identification Procedures (CUSIP) number\nassigned by the Treasury into the InvestOne accounting system. Zero Coupon Bond securities are\nmanually set up by FIB accountants with a CUSIP number assigned by the Treasury into the\nInvestOne accounting system only when an investment request is received by the agency. One-\nday and special issue par-value securities are also set-up by a FIB accountant; however, the FIB\naccountant assigns a security number based on the security name and date of issue instead of a\nCUSIP number. Another FIB accountant reviews the set-up of a new security to ensure that they\nare accurately recorded.\n\nPrior to February 29, 2012, if a Fund Agency could not access FedInvest, the agency could send\ninvestment/redemption requests by fax, email, or hard copy form to FIB for processing on their\nbehalf. Subsequent to February 29, 2012, if a Fund Agency cannot access FedInvest, the agency\ncan send investment/redemption requests by email to FIB for processing on their behalf. To\nensure that the Fund Agency\xe2\x80\x99s investment/redemption requests are suitable and have been entered\ncorrectly into the system, two FIB accountants review and digitally stamp each request, in\naddition to the accountant who entered the transaction into the FedInvest or InvestOne accounting\nsystem. The FIB accountants inspect the requests to ensure that they include: name of fund,\naccount symbol, date of request, amount, type of security to invest/redeem, and authorized\nsignature of the Fund Agency manager or authorized agent. If the requests do not contain the\nrequired information, the FIB accountants contact the Fund Agency to obtain the required\ninformation. Investment/redemption requests are processed as of the date on the requests.\n\nMarket-based securities \xe2\x80\x93 Office of Debt Management (ODM) provides FIB daily security price\nfiles for the market-based securities. These price files are calculated by ODM using Federal\nReserve Bank (FRB) of New York Treasury Price Quote files. FIB accountants perform daily\nprocedures to ensure the accuracy of the prices and for contingency planning in the event that\nODM price files are unavailable to FIB. FIB accountants obtain the FRB of New York Treasury\nPrice Quote files from a secure website using a digital certificate. The FIB accountant runs a\ndesktop COBOL program that uses the FRB of New York prices to calculate and prepare market-\nbased price files that can be loaded into the InvestOne accounting system. The desktop COBOL\nprogram also compares the calculated prices to the prices contained in the ODM files producing\nan exception report of any differences. In addition, a FIB accountant performs a yield curve\ncomparison to check for significant variances from the composite Bloomberg generic pricing\nsource obtained from the Bloomberg terminal. The FIB accountant notifies ODM of any price\ndifferences on the exception report and unusual variances identified from the yield curve\ncomparison, if any, and ODM provides FIB with certification of any necessary price corrections\n\n\n                                               39       Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cvia email. The FIB accountant loads the market-based prices into the InvestOne accounting\nsystem and FedInvest by approximately 1:00 pm EST.\n\nOvernight Rates (One-day securities) \xe2\x80\x93 ODM provides FIB the daily rate for the one-day\ncertificates in an email of daily market bid quotations on most recently auctioned Treasury bills.\nThe one-day rate is the prior day\'s coupon equivalent of the shortest regularly issued Treasury\nsecurity, currently the 4 week bill. Each morning, a FIB accountant enters the overnight interest\nrate for the one-day security into the InvestOne accounting system and FedInvest and two FIB\naccountants compare the InvestOne accounting system security definition screens and the\nFedInvest screen to the ODM email received to ensure the rate was recorded accurately.\n\nSpecial issue par-value securities \xe2\x80\x93 On the first business day of each month, a FIB accountant\ncreates the special issue par-value securities in the InvestOne accounting system and FedInvest\nusing the rates provided by the Division of Accounting Operations (DAO) Securities Accounting\nTeam (SAT), formerly known as the Principal and Interest Accounting Team (PIAT). SAT\nprepares the rates for submission to FIB using rates provided by ODM and the average auction\nresults of Treasury securities as specified in the pertinent legislation. Once the special issue par-\nvalue security rates are compiled, they are submitted to the SAT team lead for review. The team\nlead reviews the rates prior to submission to FIB by comparing the rates on the form for\nsubmission to the rates obtained from ODM and the security auction results tables. Once the\nsecurities have been created in the InvestOne accounting system using the rates obtained from\nSAT, the FIB accountant runs a report from the FIB Menu (a COBOL collection of desktop\nprograms) to create a report showing values from the InvestOne accounting system security\ndefinition screens and compares them to the rates provided by SAT to ensure that the rates are\nrecorded accurately and documents the review by digitally stamping the rate sheet that was\nprovided by SAT.\n\nZero Coupon Bond securities - ODM provides the Zero Coupon Bond pricing on an as needed\nbasis. Currently, only two Fund Agencies invest in Zero Coupon Bonds. FIB receives the Fund\nAgency instructions for the purchase/redemption of Zero Coupon Bonds through a FedInvest\nemail notification. A Fund Agency must enter Zero Coupon Bond purchase requests into\nFedInvest prior to 11:00 am EST on the desired date. Once the purchase request has been\nentered, FedInvest sends an automated email to the FIB accountants and the FIB accountants\nforward the request to ODM for pricing. ODM prices the transaction at approximately noon and\nprovides the pricing data to FIB. A FIB accountant enters the applicable pricing data and posts\nthe requested transaction in InvestOne accounting system. Two other FIB accountants compare\nthe pricing information from the InvestOne accounting system to the pricing data received from\nODM to ensure the pricing is accurately recorded. A confirmation is available in FedInvest to the\nFedInvest user. The preparer and reviewing FIB accountants digitally stamp the supporting\ndocumentation for the transaction to document their review.\n\nFund Agencies that have not authorized FIB to process investment transactions on their behalf\nneed to purchase new securities each day using FedInvest (their investments are not automatically\nrolled over). Prior to February 29, 2012, if a Fund Agency could not access FedInvest, the agency\nrequested the investment via email, fax, or hard copy. Subsequent to February 29, 2012, if a\nFund Agency cannot access FedInvest, the agency must request the investment via email. FIB\naccountants process these overnight transactions as instructed.\n\n\n\n\n                                               40        Control Objectives, Related Controls, and\n                                                                  Tests of Operating Effectiveness\n\x0cInvestment Request Processing\n\nTo establish access to FedInvest, the Fund Agency completes a FedInvest Logon-ID Request\nform, which is signed by a supervisor at the Fund Agency. FIB verifies that the information is\ncomplete, then emails the IT Service Desk to request that the user be added to Contact\nManagement. Once the IT Service Desk notifies FIB that the user has been added to Contact\nManagement, FIB provides the user form to the DSPS ISSRs for user set-up in FedInvest. OIT\nprovides the new user with their user ID and temporary password and contacts the user to login to\nFedInvest with the temporary password, answer security questions, and change the password.\nFIB then coordinates FedInvest training with the new user. When a FedInvest user is terminated,\nthe Fund Agency uses the FedInvest Logon-ID Request form to revoke access and submits the\napproved form to FIB. FIB then terminates the user\xe2\x80\x99s access.\n\nFund Agency users access FedInvest using their user ID and password. The Fund Agency user\nselects the Account Fund Symbol (AFS), date, security type, and investment amount in\nFedInvest.\n\nBefore Prices Loaded \xe2\x80\x93 The FedInvest user may enter investment requests before prices are\nloaded in the system for up to 10 business days in the future except for Zero Coupon Bonds and\nSpecial Issue Certificates of Indebtedness. Upon submission of the request for future dated\nmarket-based and TIPS securities, the user receives a confirmation number, which is proof to the\nFund Agency that their request was accepted. When prices are loaded by the FIB accountant into\nthe InvestOne accounting system, the FIB accountant uses the FedInvest RPA module to load the\nprices into FedInvest, publish them on the website, and apply the prices to the pending investment\ntransactions. Once the price has been applied to the transaction, it is automatically posted to the\nInvestOne accounting system and the confirmation number is replaced with a memo number that\nis also on the confirmation available to the user in FedInvest.\n\nFor future dated one-day investments, the user receives the memo number immediately. Once the\none-day rate has been loaded into InvestOne accounting system/FedInvest for the effective date\nof the investment, a confirmation of results with rate information will be available in FedInvest to\nthe FedInvest user.\n\nAfter Prices Loaded \xe2\x80\x93 The FedInvest user may enter investment requests after prices are loaded\ninto the InvestOne accounting system, except for Zero Coupon Bonds. Since FedInvest interfaces\nwith the InvestOne accounting system, the InvestOne accounting system automatically assigns a\nmemo number and applies the price/rate. A confirmation of results is available in FedInvest to\nFedInvest users.\n\nZero Coupon Bond securities \xe2\x80\x93 The FedInvest user may enter investment requests by 11:00 am\nEST. FedInvest sends the request by email to the FIB accountants who forward the request to\nODM for pricing. ODM prices the purchase of the Zero Coupon Bond at approximately 12:00\npm EST and forwards the results to FIB by email. The FIB accountant enters the pricing results\ninto the InvestOne accounting system, posts the transaction, and forwards the memo number to\nthe FedInvest user. A confirmation of results is available in FedInvest to the FedInvest user.\n\nPrior to February 29, 2012, if a Fund Agency could not access FedInvest, FIB received\ninvestment requests via fax, email, or hard-copy from Fund Agencies. Subsequent to February\n29, 2012, FIB may receive investment requests via email from Fund Agencies if an agency\ncannot access FedInvest. A FIB accountant enters the request into FedInvest or InvestOne\naccounting system on behalf of the Fund Agency. Then two FIB accountants compare the\n\n                                               41       Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0ctransaction confirmation to the investment request to ensure the investment request is recorded\naccurately, posted to the correct day, and then digitally stamp the investment request to document\ntheir review. A confirmation of results is available in FedInvest to the FedInvest user the same\nday.\n\nOn the following business day, a FIB accountant compares the InvestOne report (Prior Day\nReview) to the investment requests submitted by the Fund Agency to ensure transactions were\nproperly entered into the InvestOne accounting system. The FIB accountant documents this\nreview by digitally stamping the investment request.\n\nRedemption Request Processing\n\nTo establish access to FedInvest, the Fund Agency completes a FedInvest Logon-ID Request\nform, which is signed by a supervisor at the Fund Agency. FIB verifies that the information is\ncomplete then emails the IT Service Desk to request that the user be added to Contact\nManagement. Once the IT Service Desk notifies FIB that the user has been added to Contact\nManagement, FIB provides a copy of the FedInvest Logon-ID Request form to the DSPS ISSRs\nfor user set-up in FedInvest. OIT provides the new user with their user id and temporary\npassword and contacts the user to login to FedInvest with the temporary password, answer\nsecurity questions, and change the password. FIB then coordinates FedInvest training with the\nnew user. When a FedInvest user is terminated, the Fund Agency uses the FedInvest Logon-ID\nRequest form to revoke access and submits the approved form to FIB. FIB then terminates the\nuser\xe2\x80\x99s access.\n\nFund Agency users access FedInvest using their user ID and password. The Fund Agency user\nselects the AFS, date, inventory method (First-In First-Out (FIFO) or Specific ID), security type,\nand redemption amount in FedInvest.\n\nBefore Prices Loaded \xe2\x80\x93 The FedInvest user may enter Market-based bill, note, bond, and TIPS\nredemption requests using the FIFO inventory method before prices are loaded in the system for\nup to 10 business days in the future. Upon submission of the request, the user receives a\nconfirmation number which is proof to the Fund Agency that their request was accepted. When\nprices are loaded by the FIB accountant into the InvestOne accounting system, the FIB\naccountant uses the FedInvest RPA module to load the prices into FedInvest, publish them on the\nwebsite, and apply the prices to the pending redemption transactions. Once the price has been\napplied to the transaction, it is automatically posted to the InvestOne accounting system, as\nevidenced by the replacement of the confirmation number with a memo number that is also on the\nconfirmation available to the user in FedInvest.\n\nAfter Prices Loaded \xe2\x80\x93 The FedInvest user may enter Market-based bill, note, bond and TIPS\nredemption requests using the FIFO or Specific ID inventory methods after prices are loaded in\nthe InvestOne accounting system and FedInvest. If Fund Agencies have tax lots (a group of the\nsame securities purchased on different dates) and decide to apply the specific identification\nmethod rather than the FIFO method to redeem from specific tax lots, Fund Agencies need to\nselect \xe2\x80\x9cSpecific ID\xe2\x80\x9d inventory method to override the InvestOne accounting system default\nsetting of the FIFO method, and enter the principal amount to redeem for each tax lot. Since\nFedInvest interfaces with the InvestOne accounting system, the InvestOne accounting system\nautomatically assigns a memo number and applies the price/rate. A confirmation of results is\navailable in FedInvest to FedInvest users.\n\n\n\n\n                                              42       Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cSpecial issue par-value securities - Special issue par-value securities have unique redemption\nrules that require the InvestOne accounting system to redeem them based on the order of earliest\nmaturity date, lowest prevailing interest rate, and FIFO. The FedInvest user receives a\nconfirmation with a confirmation number and a message that the redemption rules will be applied\nin accordance with Treasury Fiscal Policy. The transaction will be pending until after the close of\nbusiness on the effective date. At close of business (after 3:00 pm EST) on the effective date of\nthe redemption, the FIB accountant uses the FedInvest RPA module to run the Post Par Value\nSell Transactions that will process, post, and assign memo numbers to the pending redemption\nrequests in the InvestOne accounting system using the unique redemption rules. A confirmation\nof results is available in FedInvest to FedInvest users.\n\nZero Coupon Bond securities \xe2\x80\x93 The FedInvest user must enter redemption requests into FedInvest\n(by 11:00 am EST) and FedInvest sends an email to the FIB accountants who forward the request\nto ODM for pricing. ODM prices the redemption of the Zero Coupon Bond at approximately\n12:00 pm EST and forwards the results to FIB via email. The FIB accountant enters the pricing\nresults into the InvestOne accounting system, posts the transaction, and forwards the memo\nnumber to the FedInvest user. A confirmation of results is available in FedInvest to the FedInvest\nusers.\n\nPrior to February 29, 2012, FIB received redemption requests via fax, email, or hard-copy from\nFund Agencies if an agency could not access FedInvest. Subsequent to February 29, 2012, FIB\nmay receive redemption requests via email from Fund Agencies if an agency cannot access\nFedInvest. A FIB accountant enters the request into FedInvest or the InvestOne accounting\nsystem on behalf of the Fund Agency. Then two FIB accountants review and digitally stamp the\nredemption request. A confirmation of results is available in FedInvest to the FedInvest user the\nsame day.\n\nOn the following business day, a FIB accountant compares the InvestOne report (Prior Day\nReview) to the redemption requests submitted by the Fund Agency to ensure transactions were\nproperly entered into the InvestOne accounting system. The FIB accountant documents this\nreview by digitally stamping the redemption request.\n\nInvestment Maturity Processing\n\nIf Fund Agencies do not redeem securities prior to the maturity date, the InvestOne accounting\nsystem automatically matures the securities on the maturity date. A confirmation of results is\navailable in FedInvest to the FedInvest user. Each day, a FIB accountant compares the system\ngenerated maturities to expected maturity reports ran after the close of the previous business day.\n\nEach business day, a FIB accountant runs a report for all one-day investments from the previous\nbusiness day and the current day\'s maturities, reviews the report to make sure that all one-day\ninvestments matured and paid interest, and documents approval by digitally marking the daily\nchecklist.\n\nDetailed Case Management Processing\n\nThree Fund Agencies provide reimbursement to FIB for the service of tracking investments at a\nlevel of detail greater than what is required to record issues, redemptions, and maturities within\nthe InvestOne accounting system. Certain Fund Agencies have a requirement to hold monies in\nescrow pending legal determination of ownership, so FIB accommodates them by establishing a\nnetwork of sub-accounts, or cases, that in aggregate equal the fund\xe2\x80\x99s investment balance. This\n\n                                              43        Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cway, the Fund Agencies track investments at a level of detail greater than what is required to\nrecord issues, redemptions, and maturities within the InvestOne accounting system. Fund\nAgencies send, via e-mail or file, a request to deposit or withdraw funds from a specific case.\n\nA FIB accountant enters the request into FedInvest or the InvestOne accounting system on behalf\nof the Fund Agency. Then two FIB accountants review and digitally stamp the request. A\nconfirmation of results is available in FedInvest to the FedInvest user the same day.\n\nOn the following business day, a FIB accountant compares the InvestOne report (Prior Day\nReview) to the requests submitted by the Fund Agency to ensure transactions were properly\nentered into the InvestOne accounting system. The FIB accountant documents this review by\ndigitally stamping the request.\n\nComplementary Fund Agency Controls\n\nFund Agencies should establish controls to:\n\n\xe2\x80\xa2   Ensure that the submission of investment/redemption requests in FedInvest is accurate and\n    completed prior to 3:00 pm EST (11:00 am EST for Zero Coupon Bonds).\n\n\xe2\x80\xa2   Notify FIB if the investment/redemption requests have been processed incorrectly so that\n    correcting transactions may be processed before 3:00 pm EST.\n\n\xe2\x80\xa2   Review investment/redemption/maturity/interest confirmations and Monthly Statements of\n    Account to ensure that each request was processed accurately, timely, and in accordance with\n    Fund Agency instructions.\n\n\xe2\x80\xa2   Ensure that access to FedInvest is restricted to properly authorized individuals.\n\n\xe2\x80\xa2   Review detailed case management transactions to ensure that each request was processed\n    accurately, timely, and in accordance with Fund Agency instructions.\n\nTests of Operating Effectiveness and Results of Testing\n\n1. For a selection of business days, inspected documentation of the daily procedures performed\n   by the FIB accountants regarding the market-based securities pricing and determined that the\n   FIB accountants followed the established policies and procedures, as evidenced by the FIB\n   accountants\xe2\x80\x99 sign off on the daily procedures checklist.\n\n2. For a selection of business days, inspected the daily procedures checklist and determined that\n   the FIB accountants performed a yield curve comparison to identify significant variances\n   between the ODM price file for market-based securities and the composite Bloomberg\n   generic pricing source obtained from the Bloomberg terminal.\n\n3. For a selection of business days, inspected the daily procedures checklist and determined that\n   the FIB accountant ran the desktop COBOL program that compares the FIB calculated prices\n   for market-based securities to the prices contained in the ODM files producing an exception\n   report of any differences.\n\n4. For a selection of business days, inspected the daily procedures checklist, the InvestOne\n   accounting system security definition screens and the FedInvest screen and determined that\n\n                                               44        Control Objectives, Related Controls, and\n                                                                  Tests of Operating Effectiveness\n\x0c    two FIB accountants compared the InvestOne accounting system security definition screens\n    to the ODM email received to ensure the rate was recorded accurately by noting their digital\n    signatures on the rate sheet.\n\n5. For a selection of months, inspected documentation of the SAT provided pricing for par-\n   value securities and determined that the SAT team leader reviewed the rates provided to FIB,\n   the FIB accountant accurately loaded the rates into the InvestOne accounting system, and a\n   second FIB accountant compared the rates from the InvestOne accounting system security\n   definition screens to the rates provided by SAT to ensure the rate was accurately recorded.\n\n6. There were no investments and redemptions of Zero Coupon Bonds during the period.\n\n7. Inspected investment/redemption processing request procedures and observed the FIB\n   accountant process investment/redemption requests and determined that FIB processed\n   investment/redemption requests in accordance with the established procedures.\n\n8. For a selection of investment/redemption requests, inspected signed request for\n   investment/redemption forms or emailed authorization and determined that: FIB was\n   authorized by the Fund Agency to process each investment/redemption request prior to entry\n   into FedInvest or the InvestOne accounting system, the documented procedures were\n   followed, the investment/redemption request was initialed by the accountant recording the\n   entry, the entry was properly reviewed and initialed by two other FIB accountants after entry\n   into the FedInvest or the InvestOne accounting system, a comparison of each request form to\n   the Prior Day Review report was documented by a FIB accountant, the request was recorded\n   accurately and in a timely manner, and documentation is maintained and available.\n\n9. For a redemption request entered through FedInvest, inspected the confirmation and\n   determined that the redemption was recorded accurately and processed as requested in a\n   timely manner.\n\n10. For an investment request entered through FedInvest, observed the InvestOne accounting\n    system automatically assign a memo number, apply the price/rate and generate and post an\n    on-line confirmation, and determined that the request was recorded accurately and processed\n    in a timely manner.\n\n11. Observed the FIB accountant use the FedInvest RPA module to run the Post Par Value Sell\n    Transactions and process, post, and assign memo numbers to the pending redemption\n    requests in the InvestOne accounting system using the redemption rules for par-value\n    securities and determined that the FIB accountant followed the established policies and\n    procedures. Further, reperformed the system\xe2\x80\x99s selection of the security redeemed for one\n    Fund Agency redemption request and determined that the system properly applied the\n    redemption rules for par-value securities.\n\n12. For a selection of business days, inspected documentation of the daily procedures performed\n    by the FIB accountants regarding par-value security redemptions and determined that the FIB\n    accountants followed the established policies and procedures, as evidenced by the FIB\n    accountants\xe2\x80\x99 sign off on the daily procedures checklist.\n\n13. For a selection of business days, inspected documentation of the daily procedures performed\n    by the FIB accountants and determined that the FIB accountant ran a report for all one-day\n    investments from the previous business day and the current day\xe2\x80\x99s maturities, reviewed the\n\n                                             45       Control Objectives, Related Controls, and\n                                                               Tests of Operating Effectiveness\n\x0c    report to ensure that all one-day investments matured and paid interest, and documented\n    approval by initialing the daily checklist.\n\n14. For a matured investment, inspected the corresponding confirmation and determined that the\n    InvestOne accounting system automatically matured the security on the maturity date,\n    accurately recorded the transaction in a timely manner, and posted an on-line confirmation on\n    FedInvest.\n\n15. For a selection of case management deposit or withdrawal requests, determined that the\n    request was digitally signed by the FIB Accountant recording the entry, the entry was\n    properly reviewed and digitally signed by two other FIB accountants after entry into the\n    FedInvest or InvestOne accounting system, a comparison of each request form to the Prior\n    Day Review report was documented by the FIB accountant, the request was recorded\n    accurately and in a timely manner, and documentation is maintained and available.\n\n\nNo exceptions noted.\n\n\n\n\n                                             46        Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cControl Objective 10 \xe2\x80\x93 Confirmations\n\nControls provide reasonable assurance that confirmations are processed in a timely and accurate\nmanner.\n\nDescription of Controls\n\nThe InvestOne accounting system assigns a memo number for transactions entered in FedInvest\nthat are posted immediately into the InvestOne accounting system.\n\nA confirmation number is created for each transaction entered into FedInvest that is not processed\nimmediately upon entry (e.g., market based transactions before prices are loaded, Zero Coupon\nBonds, and special issue par-value redemptions) to notify the user that the transaction is in the\nprocessing queue. Once transactions are processed into the InvestOne accounting system, the\nInvestOne accounting system assigns an individual memo number that replaces the confirmation\nnumber. Memo numbers are provided to Fund Agency FedInvest users through the interface\nbetween FedInvest and the InvestOne accounting system.\n\nFor each entry into the InvestOne accounting system, the system automatically generates and\nposts an on-line confirmation of the transaction available in FedInvest for Fund Agency\nreconciliation. Fund agencies access FedInvest using their user ID and password to obtain\nconfirmations.\n\nComplementary Fund Agency Controls\n\nFund Agencies should establish controls to:\n\n\xe2\x80\xa2   Track investment/redemption confirmations to ensure that the Fund Agency FedInvest user\n    correctly processes all requests.\n\n\xe2\x80\xa2   Review and reconcile all transaction confirmations to determine that they are accurate and\n    complete, and report discrepancies to FIB so correcting transactions may be processed before\n    3:00 pm EST.\n\n\xe2\x80\xa2   Ensure that access to FedInvest is restricted to properly authorized individuals.\n\n\xe2\x80\xa2   Review investment/redemption/maturity/interest confirmations and Monthly Statements of\n    Account to ensure that each request was processed accurately, timely, and in accordance with\n    Fund Agency instructions.\n\nTests of Operating Effectiveness and Results of Testing\n\n1. For an investment request, a redemption request, and a maturity of securities, inspected\n   FedInvest and determined that FedInvest automatically generated and posted an on-line\n   confirmation that accurately reflected the transaction and indicated that the transaction was\n   processed accurately and timely.\n\n2. For an investment request, a redemption request, and a maturity of securities, observed the\n   processing of transactions in the InvestOne accounting system and noted that the InvestOne\n   accounting system automatically assigned a memo number and determined the request was\n   recorded accurately and in a timely manner.\n\n                                               47        Control Objectives, Related Controls, and\n                                                                  Tests of Operating Effectiveness\n\x0c3. For an investment or redemption request entered into FedInvest but not immediately\n   processed into the InvestOne accounting system (due to the fact that pricing information for\n   the investment was not yet loaded or that close of business par-value redemption rules were\n   not yet applied), observed FedInvest and noted that a confirmation number was automatically\n   assigned and an on-line confirmation was generated to indicate that the transaction was in the\n   processing queue. Observed FedInvest after the pricing information was loaded or the\n   business day was closed and noted that the confirmation number assigned upon data entry\n   was replaced with a memo number and that the request was recorded accurately and in a\n   timely manner.\n\nNo exceptions noted.\n\n\n\n\n                                             48        Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cControl Objective 11 \xe2\x80\x93 Fund Balance Adjustment\n\nControls provide reasonable assurance that Fund Agency account balance adjustments, due to\nerrors in processing or Fund Agency errors, are processed completely and accurately.\n\nDescription of Controls\n\nFund Agencies should detect errors by reviewing confirmations. Fund Agencies notify FIB of the\nerrors and send adjustment information. FIB maintains a documented procedure detailing the\nsteps that need to be performed when making a correction or adjustment.                     The\nCorrection/Adjustment Check List documents the tasks that generally need to be completed when\nmaking a correction or adjustment. When necessary, a FIB accountant enters an adjustment or\ncorrects the original transaction in the InvestOne accounting system. The InvestOne accounting\nsystem processes the adjustment and a confirmation of the adjustment or corrected transaction is\navailable in FedInvest to the FedInvest user.\n\nThe FIB accountant prepares a correction package and completes the Correction/Adjustment\nCheck List when adjustments are necessary. Two other FIB accountants, (the team leader and a\nreviewing FIB accountant), review and approve the correction package and any transactions\nposted to the InvestOne accounting system, PARS, and/or IPAC, as applicable. The review and\napproval process is completed by determining the necessary steps on the Correction/Adjustment\nCheck List have been performed.\n\nA FIB accountant runs a report from the FIB Menu (a COBOL collection of desktop programs) to\ncreate Monthly Statements of Account, which documents all transactions processed for a\nparticular month, including any necessary adjustments. The Monthly Statement of Account is\nmade available in FedInvest and on the BPD\xe2\x80\x99s TreasuryDirect website for review by the Fund\nAgencies.\n\nComplementary Fund Agency Controls\n\nFund Agencies should establish controls to:\n\n\xe2\x80\xa2   Review investment/redemption/maturity/interest confirmations and Monthly Statements of\n    Account to ensure that each request was processed accurately, timely, and in accordance with\n    Fund Agency instructions.\n\n\xe2\x80\xa2   Review adjustments and make prompt and appropriate journal entries to the accounting\n    records, to adjust the investment account balances and related interest.\n\n\xe2\x80\xa2   Review Monthly Statements of Account to verify that adjustments were processed completely\n    and accurately.\n\n\n\n\n                                              49      Control Objectives, Related Controls, and\n                                                               Tests of Operating Effectiveness\n\x0cTests of Operating Effectiveness and Results of Testing\n\n1. Inquired of management and inspected written procedures to determined that the consistent\n   use of the procedures is likely to help prevent deviations from operations as described in the\n   control description.\n\n2. For a selection of error corrections and adjustments, inspected the correction package and the\n   completed      Correction/Adjustment      Check     List     and     determined     that   the\n   corrections/adjustments were performed in accordance with the established procedures.\n\n3. For a selection of fund balance adjustments, inspected the Fund Agency\xe2\x80\x99s adjustment request\n   and the Correction/Adjustment Check List and determined that two other FIB accountants,\n   including the team leader, documented their review of each adjustment request and that the\n   request was processed completely and accurately.\n\n4. Observed the FIB accountant prepare and post the Monthly Statement of Account for one\n   month and noted that the FIB accountant followed the established policies and procedures.\n\n5. For a selection of Monthly Statements of Accounts, inspected the Monthly Statements of\n   Accounts on FedInvest and determined that they were posted by the first working day after\n   the end of the month and were made available for review to the Fund Agencies.\n\n6. For a selected adjustment, inspected the respective Monthly Statement of Account and\n   determined that the Monthly Statement of Account indicated that the adjustment was\n   processed accurately.\n\nNo exceptions noted.\n\n\n\n\n                                             50        Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cControl Objective 12 \xe2\x80\x93 Recordkeeping\n\nControls provide reasonable assurance that support related to the investment accounts is\ndocumented and readily available.\n\nDescription of Controls\n\nTransaction confirmations and the Monthly Statements of Account containing InvestOne\naccounting system data are available in FedInvest to the FedInvest users. The Monthly Statement\nof Account is also available on the TreasuryDirect website. FIB maintains file copies of the\ninvestment/redemption requests that were processed by FIB on behalf of the Fund Agency.\n\nOn a daily basis, FIB receives market-based security price files from ODM and FRB of New\nYork, Zero Coupon Bond pricing as needed from ODM, and a daily email for the one-day\ncertificate rate from ODM. On a monthly basis, FIB receives via email the special issue par-\nvalue security rates from SAT. These quotations document the security prices/rates and are\nretained for future reference for a period of twenty years in accordance with the BPD document\nretention policies. FIB files and retains Daily Principal Totals Reports, which detail all daily\nprincipal transactions and are reconciled to the Balances-Summary report daily.\n\nFIB maintains copies of the Notification of Principal & Interest (P&I) Credit, which report\nprincipal and interest activity on certain Marketable or Agency Security investments held at FRB\nof New York. Each month, FIB prepares the Standard Form 1132, Investment Funds Summary\nHolding Report (SF1132), Standard Form 1133-1, Marketable Securities Held by GAS Agencies\n(SF1133-1), and Standard Form 1134-1, Agency Securities Held by GAS Agencies (SF1134-1)\nreports, which document each Fund Agency\xe2\x80\x99s account balance, including securities held in\nsafekeeping at FRB New York. These reports are published on the TreasuryDirect website.\n\nTests of Operating Effectiveness and Results of Testing\n\n1.   For a selection of Monthly Statements of Account, inspected the Monthly Statements of\n     Account and determined that the reports were maintained and readily available.\n\n2.   For a selection of investment/redemption requests, inspected the confirmations and\n     determined that confirmations were maintained and readily available.\n\n3.   For a selection of investment/redemption requests, inspected the Request for\n     Investment/Redemption forms and determined that documentation was maintained and\n     available.\n\n4.   For a selection of dates, inspected the Daily Principal Totals Reports and determined that\n     the FIB accountants reconciled the reports to the Balances-Summary report, the\n     reconciliation was mathematically correct and documented, and the documentation was\n     maintained and available.\n\n5.   For a selection of transactions or dates, inspected pricing records and determined that\n     pricing documentation was maintained and available.\n\n6.   For a selection of months, inspected the Notification of P&I Credit and determined that the\n     documentation was maintained and available.\n\n\n\n                                             51       Control Objectives, Related Controls, and\n                                                               Tests of Operating Effectiveness\n\x0c7.   For a selection of months, inspected the SF1132, SF1133-1, and SF1134-1 reports and\n     determined that the reports were maintained and readily available.\n\nNo exceptions noted.\n\n\n\n\n                                         52       Control Objectives, Related Controls, and\n                                                           Tests of Operating Effectiveness\n\x0cControl Objective 13 \xe2\x80\x93 Segregation of Duties\n\nControls provide reasonable assurance that the duties of authorizing, processing information, and\nverifying documents are appropriately segregated.\n\nDescription of Controls\n\nFIB has established policies and procedures documenting that the following responsibilities are\nsegregated for Fund Agencies using FedInvest:\n\n    \xe2\x80\xa2   Fund Agencies are responsible for requesting access to FedInvest.\n    \xe2\x80\xa2   External FedInvest users must have their supervisor\xe2\x80\x99s approval along with OPDA ISSR\n        approval documented on an Access Request/Revoke form before access is granted to or\n        revoked from FedInvest.\n    \xe2\x80\xa2   Access permissions are assigned to FedInvest and the InvestOne accounting system users\n        commensurate with their job responsibilities by the OPDA ISSRs.\n    \xe2\x80\xa2   FIB Accountants set up accounts in InvestOne accounting system/FedInvest and OPDA\n        ISSRs set up users in InvestOne accounting system/FedInvest.\n    \xe2\x80\xa2   Fund Agencies access FedInvest and submit investment purchase and redemption\n        requests.\n    \xe2\x80\xa2   FedInvest interfaces with the InvestOne accounting system which processes and posts the\n        investment and redemption requests and provides the data for the confirmations that are\n        available in FedInvest to the FedInvest users.\n\nFIB has established policies and procedures documenting that the following responsibilities are\nsegregated when FIB processes transaction requests on behalf of the Fund Agencies:\n\n    \xe2\x80\xa2   Prior to February 29, 2012, Fund Agencies prepared and submitted\n        investment/redemption requests to FIB via fax, email, or hard copy form if the agency\n        could not access FedInvest. Subsequent to February 29, 2012, Fund Agencies prepare\n        and submit investment/redemption requests to FIB via email if the agency cannot access\n        FedInvest.\n    \xe2\x80\xa2   FIB personnel enter the investment purchase or redemption request into FedInvest or the\n        InvestOne accounting system.\n    \xe2\x80\xa2   The InvestOne accounting system processes the investment and redemption requests and\n        provides the data for the confirmations that are available in FedInvest to the FedInvest\n        users.\n    \xe2\x80\xa2   To verify that transactions have been processed accurately, two FIB accountants other\n        than the one who entered the transaction will review and compare a copy of the\n        investment/redemption request from the Agency to the data entered into the InvestOne\n        accounting system. Both the accountant entering the transaction and those reviewing it\n        digitally stamp the file copies to document that the procedure has been performed.\n    \xe2\x80\xa2   On the following business day, a FIB accountant compares the InvestOne report (Prior\n        Day Review Report) to the investment/redemption request submitted by the Fund Agency\n        to ensure transactions were properly entered into the InvestOne accounting system. The\n        FIB accountant documents completion of this review by digitally stamping the\n        investment/redemption request.\n\n\n\n\n                                             53        Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cComplementary Fund Agency Controls\n\nFund Agencies should establish controls to:\n\n\xe2\x80\xa2   Ensure that access to FedInvest is restricted to properly authorized individuals.\n\n\n\nTests of Operating Effectiveness and Results of Testing\n\n1. Inspected investment/redemption processing request procedures, observed the FIB accountant\n   process investment/redemption requests, and determined that FIB processed the\n   investment/redemption requests in accordance with the established procedures.\n\n2. For a selection of investment/redemption requests, inspected signed Request for\n   Investment/Redemption forms or emailed authorization and determined that: FIB was\n   authorized by the Fund Agency to process each investment/redemption request prior to entry\n   into the InvestOne accounting system, the documented procedures were followed, the\n   investment/redemption request was initialed by the accountant recording the entry, the entry\n   was properly reviewed and initialed by two other FIB accountants after entry into the\n   InvestOne accounting system, a comparison of each request form to the Prior Day Review\n   report was documented by a FIB accountant, the request was recorded accurately and in a\n   timely manner, and documentation is maintained and available.\n\nNo exceptions noted.\n\n\n\n\n                                               54        Control Objectives, Related Controls, and\n                                                                  Tests of Operating Effectiveness\n\x0cControl Objective 14 \xe2\x80\x93 Interest Calculation and Payments\n\nControls provide reasonable assurance that interest is calculated accurately and interest\nreinvestments are completed accurately.\n\nDescription of Controls\n\nInterest\n\nFIB has documented the methods for calculating interest for Government Account Series\nsecurities in written desktop procedures. One-day securities pay interest daily, special issue par-\nvalue securities pay interest semi-annually on June 30 and December 31, and market-based notes,\nbonds and TIPS pay interest semi-annually on various dates. The market-based bills and Zero\nCoupon Bonds do not pay periodic interest and therefore interest income is equal to the discount\nearned. The InvestOne accounting system calculates the amount of interest to be paid when\nholdings are redeemed or interest payments are due. The InvestOne accounting system calculates\ninterest based on the security set-up and investment terms in the system in accordance with the\nrequirements of 31 CFR Chapter II, Part 306, Subpart E, and Part 356, Appendix B, with the\nexception of one-day securities. The InvestOne accounting system calculates interest for one-day\nsecurities using the rate that FIB receives from ODM.\n\nThe InvestOne accounting system reports the results of the calculations on confirmations\navailable in FedInvest for Fund Agency reconciliation and re-computation. The confirmation\ngeneration process is summarized as follows.\n\nFund Agencies access FedInvest using their user ID and password. Since FedInvest interfaces\nwith the InvestOne accounting system, the InvestOne accounting system data is displayed on the\nconfirmations that are immediately available in FedInvest to the FedInvest user.\n\nThe InvestOne accounting system also calculates certain accrued interest amounts and Inflation\nCompensation Earned (ICE) on the TIPS. The InvestOne accounting system calculates ICE in\naccordance with the requirements of 31 CFR Chapter II, Part 356, Appendix B.\n\nFIB accountants can verify the accuracy of the InvestOne accounting system interest calculations\nby manually recalculating interest for redemptions, maturities and semi-annual payment dates.\n\nA COBOL program uses extracted data from the InvestOne accounting system to generate\nMonthly Statements of Account (a cash basis statement that reflects the Agency\xe2\x80\x99s investment\nreporting, and shows interest income paid on each security). To create the Monthly Statement of\nAccount, a FIB accountant runs the COBOL program for both tax lot and summary levels. This\ncreates two text files for each Fund. The FIB accountant sends the tax lot and summary level\nMonthly Statement of Account via email to the BPD Web Content Management for review and\npublishing in FedInvest and on the TreasuryDirect website.\n\nThe Monthly Statements of Account and confirmations are available to the Fund Agencies for\nreconciliation with their accounting records. In addition, previous months\xe2\x80\x99 statements are\navailable for reference purposes. If the Fund Agency identifies any errors, the Fund Agency\nshould inform FIB so the necessary adjustments may be made.\n\n\n\n\n                                              55        Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cAmortization of Premiums and Discounts\n\nThe InvestOne accounting system automatically calculates amortization of discount/premium\nbased on the security set-up and investment terms in the system. FIB has documented the\nmethods for calculating the discount/premium amortization in written desktop procedures. The\nsystem calculates amortization for market-based bills (i.e., short-term securities) using the\nstraight-line method and for market-based notes/bonds/TIPS/Zero Coupon Bonds (i.e., long-term\nsecurities), using the level yield method, which approximates the interest method. A COBOL\nprogram is used to create monthly Accrual Confirmation and Accrual Activity Reports for each\naccount, which contain the amortization amounts that are published in FedInvest for Fund\nAgency reconciliation and re-computation. To create the Accrual Confirmation and Accrual\nActivity Reports, a FIB accountant selects and runs the \xe2\x80\x9caccrual report\xe2\x80\x9d option from the FIB\nreport menu. This generates two text files that include the Accrual Confirmation and Accrual\nActivity Reports for each fund. The FIB accountant sends the Accrual Confirmation and Accrual\nActivity Reports via email to the BPD Web Content Management for review and publishing in\nFedInvest. In addition, previous months\xe2\x80\x99 statements are available for reference purposes. If the\nFund Agency identifies any errors, the Fund Agency should inform FIB so the necessary\nadjustments may be made.\n\nAccrued Interest\n\nThe InvestOne accounting system automatically calculates accrued interest based on the security\nset-up and investment terms in the system. FIB has documented the methods for calculating the\naccrued interest in written desktop procedures. The FIB Menu accrual report program reports the\nresults of interest accruals in the monthly Accrual Confirmation and Accrual Activity Report and\npublishes the report in FedInvest for Fund Agency reconciliation and re-computation. To create\nthe Accrual Confirmation and Accrual Activity Reports, a FIB accountant selects and runs the\n\xe2\x80\x9caccrual report\xe2\x80\x9d option from the FIB report menu that generates two text files that include the\nAccrual Confirmation and Accrual Activity Reports for each fund. The FIB accountant sends the\nAccrual Confirmation and Accrual Activity Reports via email to the BPD Web Content\nManagement for review and publishing in FedInvest. In addition, previous months\xe2\x80\x99 statements\nare available for reference purposes. If the Fund Agency identifies any errors, the Fund Agency\nshould inform FIB so the necessary adjustments may be made.\n\nInterest Reinvestments\n\nFIB prepares an Investment Rollover Report for the Office of Fiscal Projections that includes\nprincipal balances from the InvestOne accounting system and interest accruals that are associated\nwith those balances as of the date of the report. For the December 31 interest payments on\nspecial issue par-value securities, the interest is reinvested into a certificate of indebtedness\nmaturing the following June 30. For June 30 maturities and interest payments, FIB receives\nwritten documentation from each agency that holds special issue par-value securities that states\nhow they want their interest and maturities reinvested. June 30 is the only date in which agencies\ncan invest in longer term special issue par-value securities (par-value bonds). OPDA reviews and\napproves the Investment Rollover Report for accuracy and sends the report to Treasury\nheadquarters. The Fiscal Assistant Secretary of Treasury approves and returns the Investment\nRollover Report for FIB to process on June 30. The interest-reinvestment process for the non-\npar-value securities is the same as and subject to the regular investment process discussed in\nControl Objective 9.\n\n\n\n                                              56       Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cInterest Allocations\n\nCertain Fund Agencies have a requirement to hold monies in escrow pending legal determination\nof ownership, so FIB accommodates them by establishing a network of sub-accounts, or cases,\nthat in aggregate equal the fund\xe2\x80\x99s investment balance. According to their individual needs, Fund\nAgencies subscribing to detailed case management services establish relationships between their\ninvestments and their cases. For those agencies with a pooled investment strategy, the total\nbalance of all cases equals the total balance of all investments. Agencies with a non-pooled\ninvestment strategy track each case balance with an equivalent investment.\n\nNon-pooled investment funds allocate interest directly to a specific case since there is a tie\nbetween the cases and the investments. Pooled investment funds must allocate interest to cases\nby calculating the portion of total investment interest that should be allocated to a case by\napplying the percentage of a specific case as a total of all cases to the total interest. Case and\ninvestment balances are reconciled for pooled investment funds both prior to and after the\nallocation of interest by a FIB accountant.\n\nThe formula used to calculate and allocate interest transactions to case balances includes\nwithholding fees as required by statute or to reimburse FIB for providing additional investment\naccounting services. Fee amounts are provided by the Fund Agency and input by a FIB\naccountant. Then two FIB accountants review and digitally stamp the request. In the event the\ninterest calculations are less than the amount of fees to be withheld, the fees are withheld from the\nprincipal balance.\n\nComplementary Fund Agency Controls\n\nFund Agencies should establish controls to:\n\n\xe2\x80\xa2   Ensure that the requested investment returns the appropriate amount of interest to meet their\n    investment income goals.\n\n\xe2\x80\xa2   Reconcile interest payments and allocations received as presented in the confirmations and\n    Monthly Statements of Account and recalculate interest for accuracy.\n\n\xe2\x80\xa2   Approve reinvestments of interest after review for accuracy, completeness, and compliance\n    with instructions.\n\n\xe2\x80\xa2   Recalculate interest accrual and amortization of premium and/or discount and compare the\n    results to the BPD provided monthly Accrual Confirmation and Accrual Activity Reports.\n\n\xe2\x80\xa2   Report any interest accrual discrepancies noted on the monthly Accrual Confirmation and\n    Accrual Activity Reports to BPD for resolution.\n\n\xe2\x80\xa2   Report any premium and/or discount amortization discrepancy noted on the monthly Accrual\n    Confirmation and Accrual Activity Reports to BPD for resolution.\n\nTests of Operating Effectiveness and Results of Testing\n\n1. Inspected interest calculation procedures, re-performed the system\xe2\x80\x99s calculation of interest,\n   and determined that interest calculation transactions were processed in accordance with\n   procedures.\n\n                                               57        Control Objectives, Related Controls, and\n                                                                  Tests of Operating Effectiveness\n\x0c2. Inspected interest calculation procedures and determined that they were consistent with the\n   requirements of 31 CFR, Chapter II, Part 306, Subpart E and Part 356, Appendix B.\n\n3. For a selection of interest transactions including each type of GAS security other than one-\n   day securities, recalculated the interest amounts, amortization, and ICE and determined that\n   the system calculations were in accordance with the CFR requirements and mathematically\n   accurate.\n\n4. For a selection of one-day securities, recalculated the interest income and determined that the\n   system calculations were mathematically accurate and complied with the desktop procedures.\n\n5. For a selection of transactions processed in the InvestOne accounting system, inspected\n   confirmations and determined that subsequent to transactions posting in the InvestOne\n   accounting system, the system automatically generated and posted an on-line confirmation of\n   the transaction available in FedInvest to Fund Agencies.\n\n6. Inspected a confirmation and determined that the confirmation contained appropriate and\n   necessary information to allow for Fund Agency reconciliation and re-computation of\n   transactions.\n\n7. For a selection of Accrual Confirmation Reports and Accrual Activity Reports, inspected\n   FedInvest and determined that the reports were available in FedInvest to Fund Agencies.\n\n8. Observed the FIB accountant generate an Accrual Confirmation Report and Accrual Activity\n   Report and email them to BPD Web Content Management for review and publishing in\n   FedInvest. Attempted to modify the published Accrual Confirmation and Acrual Activity\n   Reports and determined that the modification of the reports was prevented.\n\n9. For a selection of transactions from the Accrual Confirmation Reports, recalculated the\n   amortization of premium and discount, and determined that the amortization was calculated\n   accurately or the level yield method amortization method utilized by FIB for long-term\n   securities approximated the interest method. Inspected the Accrual Activity Reports for the\n   same date as the Accrual Confirmation Reports and determined that the amortization\n   recorded for the month was also calculated and reported accurately and used the appropriate\n   amortization method (short term = straight line, long term = level yield/effective interest).\n\n10. For a selection of Accrual Confirmation Reports and Accrual Activity Reports, inspected the\n    reports and determined that they contained the necessary information for Fund Agencies to\n    reconcile and re-compute accruals and amortization and that the information documented was\n    accurate.\n\n11. For a selection of Investment Rollover Reports, inspected the reports and determined that FIB\n    management documented its review and approval of each report prior to distributing it to the\n    respective Fund Agencies and that FIB maintained the written interest and maturities\n    reinvestment requests from the Fund Agencies.\n\n12. Inspected the June 2012 Investment Rollover Report and determined that FIB management\n    documented its review and approval of each rollover plan in the Investment Rollover Report\n    and the Fiscal Assistant Secretary of the Treasury approved the report prior to processing.\n\n\n\n\n                                              58       Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0c13. For a selection of par-value securities interest reinvestments, inspected the supporting\n    instructions and determined that reinvestments were completed in accordance with Fund\n    Agency instructions.\n\n14. For a selection of case management investment fund interest allocations, re-performed the\n    interest allocations and determined that the formula was properly applied.\n\n15. For a selection of fund interest earnings and withholding fee allocations for pooled\n    investments, inspected documentation and determined that an FIB accountant reconciled the\n    case balances both before and after the allocation, accurately input the fee amounts into\n    InvestOne, and that two FIB accountants reviewed and digitally stamped the request.\n\nNo exceptions noted.\n\n\n\n\n                                           59       Control Objectives, Related Controls, and\n                                                             Tests of Operating Effectiveness\n\x0cControl Objective 15 \xe2\x80\x93 Statement Rendering\n\nControls provide reasonable assurance that monthly reports are processed in a timely and accurate\nmanner.\n\nDescription of Controls\n\nMonthly Statements of Account\n\nA FIB Menu program extracts data from the InvestOne accounting system to produce the\nMonthly Statement of Account that details cash basis reporting of a Fund Agency\xe2\x80\x99s beginning\nbalance, investment/redemption activity, unrealized discount, premium/discount recognized,\ninterest earnings, adjustments processed and ending balance for the month. These reports are\navailable in FedInvest and on the TreasuryDirect website by the 1st working day after the end of\nthe month to be accessed by Fund Agencies for transaction reconciliation, investment monitoring,\nand investment strategy initiatives. To create the report, the FIB accountant runs a COBOL\nprogram that uses InvestOne accounting system data to create text files of the Monthly\nStatements of Account at both the summary level and tax lot level for each fund. The FIB\naccountant sends the tax lot and summary level Monthly Statements of Account via email to the\nBPD Web Content Management for review and publishing in FedInvest and on the\nTreasuryDirect website. In addition, previous months\xe2\x80\x99 statements are available for reference\npurposes. If the Fund Agency identifies any errors, the Fund Agency should inform FIB so the\nnecessary adjustments may be made. FIB\xe2\x80\x99s policy requires that FIB accountants complete and\nforward Monthly Statements of Account at the tax lot and summary level to the BPD Web\nContent Management for review and publishing in FedInvest and on the TreasuryDirect website\nby the 1st working day after the end of the month.\n\nIPAC and Classification Transactions and Accountability File\n\nFederal Program Agencies are required to report the monthly investment activity to Treasury,\nFinancial Management Service (FMS). This reporting is generally accomplished using the\nmonthly SF-224, Statement of Transactions. However, FIB is able to report daily investment\nactivity to FMS on behalf of the Fund Agencies by submitting FIB\'s daily IPAC file to FMS. FIB\ncreates the FIB daily IPAC file, which is a configured system report, using a mainframe job. The\nfile includes the Fund Agency\'s Treasury Account Symbol (TAS) and the Business Event Type\nCode (BETC) allowing the activity to be classified in the FMS Central Accounting and Reporting\nSystem (CARS) Account Statement, eliminating the need for the monthly SF-224 report for\ninvestment transactions. FIB reports the investment activity for all Fund Agencies.\n\nAdditionally, FIB prepares a daily Classification Transactions and Accountability file to report\nnon-IPAC activity, which consists of reclassification entries. FIB creates the Classification\nTransactions and Accountability file using a mainframe program and the InvestOne accounting\nsystem. FIB uploads the Classification Transactions and Accountability file to FMS using the\nCARS system. FIB instructs Fund Agencies to obtain access to the FMS CARS Account\nStatement application in order to verify the activity submitted by FIB. The daily CTA file\nreplaced the monthly partial SF-224 that was in effect during August and September of 2011 and\nincludes the same data.\n\n\n\n\n                                             60        Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cComplementary Fund Agency Controls\n\nFund Agencies should establish controls to:\n\n\xe2\x80\xa2   Review FIB provided Monthly Statements of Account to ensure that transactions are recorded\n    accurately and timely, and report discrepancies to FIB so correction processes may occur.\n\n\xe2\x80\xa2   Reconcile investment activity from the FMS application CARS Account Statements to the\n    FIB provided Monthly Statements of Account to verify that investment activity is being\n    properly reported by FIB on the Fund Agencies\xe2\x80\x99 behalf.\n\nTests of Operating Effectiveness and Results of Testing\n\n1. For a selection of Monthly Statements of Account, inspected the Monthly Statements of\n   Account on FedInvest and determined that they were posted by the first working day after the\n   end of the month.\n\n2. For a selection of transactions, inspected the respective Monthly Statements of Account and\n   determined that the transactions were accurately reflected in the Monthly Statements of\n   Account.\n\n3. Inquired of FIB management regarding the process of sending the tax lot and summary level\n   Monthly Statements of Account via email to the BPD Web Content Management. Observed\n   the FIB accountant generate the Monthly Statements of Account and accessed the published\n   reports on the web and determined that they cannot be modified and re-saved by anyone\n   outside of the BPD Web Content Management team.\n\n4. For a selection of posted Monthly Statements of Account, attempted to modify the published\n   Monthly Statements of Account and determined that the modification of the statement was\n   prevented.\n\n5. Observed the FIB accountant process the daily IPAC file and noted that the file contained the\n   Fund Agency\'s Treasury Account Symbol and the Business Event Type Code.\n\n6. For a selection of business days, inspected documentation of the daily procedures performed\n   by the FIB accountants regarding the daily IPAC file submission and determined that the\n   accountants followed the established policies and procedures, as evidenced by the FIB\n   accountant\xe2\x80\x99s initials on the daily procedures checklist.\n\n7. For a selection of daily CTA file submissions, inspected the submissions and determined that\n   the FIB accountant performed the appropriate procedures, as evidenced by the FIB\n   accountant checking the applicable procedures off the daily checklist.\n\nNo exceptions noted.\n\n\n\n\n                                              61      Control Objectives, Related Controls, and\n                                                               Tests of Operating Effectiveness\n\x0cV.   OTHER INFORMATION PROVIDED BY THE\n      BUREAU OF THE PUBLIC DEBT\n\n\n\n\n                 62       Other Information Provided by the\n                                  Bureau of the Public Debt\n\x0cCONTINGENCY PLANNING\n\nSystem Back Up\n\nThe InvestOne accounting system has a contingency plan managed by the Division of Systems\nand Program Support (DSPS). There is a formal Division of Federal Investments (DFI), Business\nContinuity Plan (BCP), which is part of a larger BCP for the Office of Public Debt Accounting\n(OPDA) and the Bureau of the Public Debt (BPD) Continuity of Operations Plan (COOP). The\nFederal Investments Branch (FIB) performs tests on all essential daily InvestOne accounting\nsystem functions 13\n\nThe Office of Information Technology (OIT) performs backups of the InvestOne accounting\nsystem on a regular schedule. OIT retains the backup tapes according to a pre-set schedule 14 at\nan offsite facility. OIT stores one copy in the production tape library, and the other copy is\nshipped to an offsite facility. Long-term storage of tapes is provided through a contract with an\noffsite storage facility. If a backup tape needs to be restored, the request will be made from the\nDSPS. OIT will then load the backup tape.\n\nContinuity of Operations\n\nA fire alarm and sprinkler system that is managed, maintained, and tested by the building\nmanagement protects the data center 15. Sprinkler heads are located in the ceiling of each room of\nthe buildings. This is a pre-action wet pipe system with individual heads that discharge\nwater. The pre-action system is charged with nitrogen so accidental leaks or corrosion\nwill not allow the discharge of water in the data center. 16\n\nThe DFI Business Continuity Plan calls for resumption of operations and critical applications of\nessential functions within a pre-set time frame 17. The InvestOne accounting system has been\nclassified as a critical application.\n\nAs part of the DFI BCP, should the facility supporting InvestOne accounting system and\nFedInvest become unavailable, designated FIB personnel will relocate to reestablish their daily\noperations. When applicable, BPD will revert to manual procedures until the mainframe and\nInvestOne accounting system are fully recovered.\n\n\n\n\n13\n   FIB performs emergency telework tests on all essential InvestOne functions a minimum of quarterly. The focus of these tests is to\nprovide assurances that connectivity can be made and these functions will continue with minimum interruption during any emergency\nthat may occur with or without warning.\n14\n   OIT uses IBM\'s Tape Management System to perform backups daily at 6:00 PM. OIT retains the first backup for 15 days.\n15\n   Alarms are active 24 hours a day, 7 days a week, and are tied in to the local fire department over phone lines for spontaneous\nnotification\n16\n   In the event the main building, where the InvestOne accounting system is run, becomes inoperable, mainframe operations would be\nrelocated to the BPD contingency facility in accordance with the OIT data center recovery plan. This facility employs a warm site\nstrategy for recovery of mainframe operations. OIT has contracted with the Financial Management Service to provide mainframe\nequipment for this site.\n17\n   4 hour time frame.\n\n                                                              63\n\x0c'